This Leipzig ruling is notable, but the practical impact may be more limited than the €5,000 figure suggests. While the court explicitly said users don't need to prove individual damages to sue, European class action mechanisms are still quite different from US-style litigation.
Germany doesn't have the same litigation incentive structures as the US - no contingency fees, loser-pays costs, and relatively limited collective redress options. Most German consumers aren't going to file individual €5,000 lawsuits over tracking pixels, especially given the legal costs and time involved.
Personally, I hope this gets picked up by a consumer protection organization or a well-funded litigation group. Germany has been gradually expanding its collective action framework, but it's still primarily driven by qualified entities rather than individual plaintiffs.
VikingTechGuy · 18h ago
In Germany consumers are opted in by default, unlike all other European Countries.
This is also why there currently are class action lawsuits against X and Tiktok based in Germany with claims of damages of EUR 500 and EUR 2000.
hsbauauvhabzb · 1d ago
Sounds like something someone could commoditise. 2500 free euro! Sign here!
oytis · 1d ago
AFAIK that business model already works with rental contracts.
rglullis · 22h ago
It definitely does for canceled/delayed flight tickets. Some years ago we had a flight that was canceled in the last minute by TAP and we missed one day from our trip. We got 600€ back from each ticket just by signing up to a website and sending the ticket receipts.
piva00 · 1d ago
In Sweden I've seen quite a few businesses sprung up for that, collecting overpaid rent through a legal firm.
Completely agree that if it's a similarly straightforward process there will be businesses offering to litigate on the users' behalf and collect a fee, I'd be jumping on it if I only had to file a report and wait for the work to be done to collect a couple thousand €.
coev · 21h ago
> In Sweden I've seen quite a few businesses sprung up for that, collecting overpaid rent through a legal firm.
This seems like the bizarro world version of American debt collection firms, cool!
lauritz · 1d ago
It should be noted that this may not stand on appeal. The full decision is not yet available. All we know is from the press statement.
For example, the court ruled that the plaintiff is entitled to these damages without even hearing them personally on what kind of injury they sustained. This is an interesting direction, and we will see how it is argued in the decision itself. I would assume this could be something that Meta challenges on appeal.
Another way to go would be to argue that this lawsuit involves unresolved questions of EU law that need to be addressed by the ECJ.
In either case, this verdict will create some legal uncertainty in the short term, and I assume many people will sue---but we shall see what happens on appeal and perhaps at the ECJ, which will perhaps be a couple of years out.
fauigerzigerk · 1d ago
What I don't understand is the responsibility of Facebook vs the operator of the website where the tracking takes place. I thought that under GDPR it was the responsibility of the website to get consent from users before passing on data to ad networks.
mpweiher · 1d ago
Both are liable. From TFA:
"The court’s decision exposes all websites and apps using tracking technology to significant lawsuits, experts said."
fauigerzigerk · 23h ago
Only if the ruling holds up on appeal. What I'm wondering is whether it will hold up.
cess11 · 1d ago
What do you mean by website as a "place"? I'm not so sure the GDPR mentions tracking. Here's what the court said was relevant:
"Meta, Betreiberin der sozialen Netzwerke Instagram und Facebook, hat Business Tools entwickelt, die von zahlreichen Betreibern auf ihren Webseiten und Apps eingebunden werden und die Daten der Nutzer von Instagram und Facebook an Meta senden. Jeder Nutzer ist für Meta zu jeder Zeit individuell erkennbar, sobald er sich auf den Dritt-Webseiten bewegt oder eine App benutzt hat, auch wenn er sich nicht über den Account von Instagram und Facebook angemeldet hat. Die Daten sendet Meta Ireland ausnahmslos weltweit in Drittstaaten, insbesondere in die USA. Dort wertet sie die Daten in für den Nutzer unbekanntem Maß aus."
fauigerzigerk · 23h ago
I mean that under GDPR, website owners as data controllers must get user consent before embedding third party tracking technologies on their websites to pass on data to Facebook.
It doesn't matter whether GDPR mentions any specific word. What matters is what the technologies referred to by the word "tracking" actually do. And what they do clearly requires consent under GDPR.
The paragraph you posted implies (but does not explicitly state) that Facebook's ability to identify individual users would still be noncompliant even if the website has received consent from the user to embed Facebook's technology. Or does the court blame the website's noncompliance on Facebook?
alkonaut · 1d ago
Can't some shady legal firm now just dig out who is in the exact same situation as this user, and sue on behalf of them, keeping (say) 10%? I'd be happy to let them.
But in the end this kind of thing shouldn't be regulated by lawsuits from individuals. The fines as I remember it can be up to 4% global annual revenue and it's about time someone actually handed a fine of 4% global annual revenue to a company the size of Meta, so companies finally realize that the law isn't just a recommendation.
lauritz · 1d ago
There are (non-shady) firms that do exactly this for other areas (flight compensation, most notably).
There are some issues with contingency fees in German legal professional law. However, it can be argued that suing for these 5,000 EUR is just "collections", so it may be allowed.
The risk lies elsewhere: As I outlined in another comment, there is reason to believe that this may not stand on appeal, or at least that other courts in other parts of Germany may decide differently. As a result, it takes a lot of capital to keep all of these lawsuits going until the Federal Court of Justice or the ECJ have decided and there is legal certainty.
pedro_caetano · 1d ago
My understanding is that there is no 1-to-1 European equivalent to class action lawsuits in the USA.
There is a EU directive that allows for "representative action" but it's much narrower scope compared to what Americans are familiar with in class action.
Garlef · 1d ago
Yes. But there's law firms who streamline such individual processes if the business case is actually large enough.
For example there's a law that says the airline needs to pay you 400€(?) if your flight is delayed by more than 2h if it's due to the airlines fault.
There's a company that handles these cases for 130€.
That's 270€ you get and you just need to enter some data.
SSLy · 1d ago
or you can enter the same data into form provided by the airline. I did it once to SN and they paid up just fine.
FirmwareBurner · 23h ago
Not my experience. Airlines BS you on why your flight delay or cancellation was legit so you need to take the legal route as they wipe their ass with your complaints.
cycomanic · 22h ago
I used to fly out out GBG which only has few flights to the intercontinental hubs per day. So it happened to me quite frequently that my incoming intercontinental flight was late by 1.5h which resulted in a 5-7h delay because I missed the connection. That entitles you to 600 euros. After my first 2 trips I quickly learned that for flights into Europe it's only European airlines that have to pay those fines (outbound flights it's everyone). I probably collected around between 4k-6k euros because it happened so often.
I never used one of the "collection agencies", because it's an incredibly easy process to do yourself. Yes some airlines try to wiggle out of it, but you just threaten them with going to arbitration (I think that's what it was? I've moved away from Europe several years ago), and show that you know the rules and they quickly let up, because IIRC they get fined (not just your compensation) if they get found to be in the wrong.
lan321 · 21h ago
Lufthansa surprisingly directly issued 250 euros to my mom for a delayed flight after filling out the passenger name and flight number on a site provided by their chatbot, which also explained how to use a 20 Euro food voucher they provided directly. It was very well made imo.
alkonaut · 20h ago
The EU has really put their foot down when it comes to these claims. There is no legit delay or cancellation. Either I'm there on time or not. And if I'm late or the flight is cancelled then the carrier will reimburse. This seems o work pretty well these days is my experience.
FirmwareBurner · 20h ago
Austrian Airlines din not honor my delay claim it citing "everting was right". Had to go to consumer protection.
Symbiote · 22h ago
I've done it twice and was paid the compensation, but both times were normal airlines, not budget carriers.
SSLy · 15h ago
I only had to do it once, but they cooperated well.
pjc50 · 22h ago
Pedantry: the EU doesn't have a unified legal system.
veunes · 1d ago
Yeah, class action-style suits are probably coming, especially now that this ruling sets a precedent
ekunazanu · 1d ago
AFAIK Germany (and most European countries) has civil law, so court rulings probably won't have as much of an impact as it would in countries like the US
alkonaut · 1d ago
Once it reaches the highest court, it will set precedent. So there is no real difference in the end it just takes more time because no precedent is set in a lower court.
oblio · 1d ago
> AFAIK Germany (and most European countries) has civil law
Most of the world, actually. Pure common law systems are just in CANZUKUS (and a few dozen of other minuscule former British colonies).
adw · 16h ago
Not even all of the UK. Scotland is a hybrid system.
jxjnskkzxxhx · 1d ago
You guys remember how 5+ years ago, an headline like this on HN would invariably prompt cries from the Americans that this was just the Europeans finding excuses to take advantage and steal from poor innocent American companies. How the mood has changed on this huh. I'm glad to see the European approach vindicated, even if at times not strong enough.
lompad · 1d ago
And not only are those cries wrong, reality is quite the opposite. The vast majority of fines are towards european businesses. Big Tech aren't the only ones who violate data privacy standards all the time. [0] You just don't read about those here, so people like to just assume those fines don't exist.
Additionally, it helps to actually learn how the current law developed - it primarily was modeled after the german Bundesdatenschutzgesetz, which was put into law in a modern form in the 90s, long before FAANG.
Worth noting the tracker does not track which fines are currently being contested (in an obvious manner). i.e. do not assume all the fines you see there have actually been paid
Though probably safe to assume the smaller fines against smaller companies with smaller lobbying^H^H^H^H^H^H legal teams most likely have :-)
rafaelmn · 1d ago
I went to the site and sorted by fine - I needed to go to the bottom of second list to find a non US company ? By the time I get to pages that are mostly non US companies the fines are two orders of magnitude smaller and dropping fast - do you have any aggregate view to compare ? I would not be surprised at all that indeed most of the fines were towards US companies in total amount.
const_cast · 11h ago
IME as an American, US companies play much more fast and loose with laws. Especially tech, which has "disrupt first, ask questions later" approach to ethics.
oblio · 1d ago
I saw TikTok at #3 and #5, Enel (Italian) at #15, Vodafone at #19 (British) and starting at around #21 the list is basically dominated by European companies.
Speaking from personal experience, American companies, especially the big ones, tend to treat everyone else as "Americans that they don't know they're American yet" or alternatively "slightly dumb Americans".
At least for one of them, yeah, they apply the legal laws, but the general decisions are taken in the US with little regard for local "non-impeding laws", I would call them. "Impeding laws" would be laws that would block the launch of something (for example they wouldn't attach an AR-15 to every product sold). "Non-impeding laws" would for example be, labor laws. They just assume that what works in the US sort of works everywhere else and deal with the consequences along the way.
rafaelmn · 1d ago
I count TikTok as big tech non-EU so I automatically put it in to that bucket but you are right it is not a US company. Still fits the theme that EU is using GDPR to shake down big tech it does not own. I missed Enel (did not know about them) and yeah Vodafone was bottom page 2 first EU brand I recognized from the list, but OK middle of page 2 for non-EU.
Again just a rough feeling from the list but I would speculate that over 50 percent of fines in total were towards US or non-EU based companies.
vampirical · 1d ago
Please re-read what you’ve written in these two comments with a critical eye. You’re speaking from a lack of knowledge without very much care and reaching incorrect conclusions that agree with your initial bias. When someone else does the work of helping nudge you towards reality you seem to be doing a poor job correcting. Sorry if this comes across as rude, it’s said with the kindest of intentions.
rafaelmn · 23h ago
So I did quick excel math - I took just the US companies from top 100, sumed them and then I summed everything else (the entire list, not just top 100) - including tiktok - and the ratio is almost 3 to one against US companies in total.
In fact Meta alone is fined more than everyone else combined.
What exactly am I missing ?
oblio · 23h ago
The fact that the EU just doesn't have big companies in the fields that are more likely to be abusive with customer data.
It's a bit like the sweatshop argument. If your company wins out by using sweatshops, yeah, you're going to end up with the billion dollar argument. But if a certain market doesn't want stuff produced by sweatshops, and they decide to dis-incentivize it by tariffing it, that:
a) makes sense from their point of view
b) is moral from a global perspective
Similar approach here.
rafaelmn · 22h ago
Thats all a matter of perspective, not something I am willing to argue. EU has a history of making protectionist legislation under the guise of protecting its members, eg. the whole GMO story, and I can see how someone can make an argument here. If it is valid or not is up to you I guess.
But saying that the fines are mostly towards EU members when over 2/3 is fined towards US companies is misrepresenting the data and the opposing viewpoint.
No comments yet
oblio · 18h ago
Fixing a typo:
* you're going end up with the billion dollar company
noirscape · 1d ago
> big tech it does not own
If a company does business in the EU, it's dealing with EU citizens, giving the EU jurisdiction over how that business is conducted.
The EU absolutely has full legal standing for this; if big tech doesn't want to abide by it, they can always leave the EU.
American companies get fined more often for the simple reason that they break the GDPR more often since the US lacks the same legal privacy framework, which means they don't have the same incentive to comply with it and instead try to rules lawyer around it.
cess11 · 23h ago
"Still fits the theme that EU is using GDPR to shake down big tech it does not own."
No, the EU is trying to protect the rights of its citizens.
If they wanted to "shake down big tech" they'd just do a Turkey or India and pressure them to do their bidding in terms of censorship and information exchange.
rafaelmn · 23h ago
>If they wanted to "shake down big tech" they'd just do a Turkey or India and pressure them to do their bidding in terms of censorship and information exchange.
We are already leaning on US intelligence agencies for data and every audit finds no problem in how the US handles EU data... get real - the EU is just not in the position to pull the same move because it is not the same kind of entity or legal structure, they do tariffs and regulations/collecting fines.
cess11 · 18h ago
The data protection body that gave a veneer of legality to US corporations touching EU citizen data has been defunct for a while.
piva00 · 1d ago
> Still fits the theme that EU is using GDPR to shake down big tech it does not own.
It's not a shake down, it's the fucking law which they don't follow and have to pay fines accordingly. Every single business in the EU has to follow these laws, if the US-based ones are not taking proper measures to not act illegally that's on them, not on the legislation, this shake down narrative is quite tired by now.
> Again just a rough feeling from the list but I would speculate that over 50 percent of fines in total were towards US or non-EU based companies.
Perhaps because the US companies are more eager in breaking laws and figuring it out later? Isn't that the whole take on EU vs US business approach, the US ones are big risk takers (including in acting illegally) vs EU ones being risk-averse?
I feel disheartened that this narrative is still spewed on HN, it's just vitriol, the US companies are breaking the law of EU members, if they do business here they need to follow the law, it's absurdly simple.
rafaelmn · 23h ago
This isn't something I really care to argue - OP was pretending like the fines were spread out equally in the EU and somehow the US complaints are baseless - when its obvious that the fines are heavily weighted towards US companies.
Whatever this is based on - OP was misrepresenting the data.
piva00 · 22h ago
I don't think OP said anything about the spread of the fines amount being equal, they brought up that there are many EU-based companies whom have been levied fines, I believe you interpreted it wrongly and are bashing a non-existing argument.
US companies have been fined larger sums because their transgressions are more common, they do it repeatedly, and their global revenue is higher, there's no conspiracy here, it's exactly how the law is written.
I invite you to re-read their point:
> The vast majority of fines are towards european businesses.
Which is true, the majority of fines are towards EU-based businesses, not the majority of the amount in fines.
Again, if US-based companies with a much higher revenue and market penetration weren't breaking the laws they wouldn't be levied the higher fines.
burnerthrow008 · 2h ago
> It's not a shake down, it's the fucking law which they don't follow and have to pay fines accordingly. Every single business in the EU has to follow these laws,
That’s a lie, and you know it.
Spotify is not a “gatekeeper” according to the DMA. Why? Because there is a specific carve out for streaming businesses. German newspapers do not have to comply with the GDPR. Why? Again, because there is a specific carve out for newspapers.
These laws are specifically written so that they only apply to businesses that by an unbelievably amazing series of coincidences just happen to be those not based in the EU.
Also known as a shakedown.
piva00 · 1h ago
Can you point me to the carve outs in the EU's directives? No, I'm not aware of those carve outs (and German newspapers display the GDPR notices for me all the time).
And it applies to all newspapers so there's no distinction between being German or American.
If you believe it's a shakedown maybe you are looking at this with very nationalistic eyes, if US companies cannot abide by the law it's on them, most other companies do.
And Spotify doesn't have a carve out, if you read the DMA you'll understand why streaming is not considered a gatekeeper (since it's not a walled garden).
VikingTechGuy · 18h ago
It's not fines, its damages for 1 visitor.
FranzFerdiNaN · 1d ago
Its because American companies are much larger than most European companies in terms of revenue. And because the impact of their infringements are much larger due to the nature of their business. If Bumfuck LLC from Sweden with maybe a 1000 customers fucks up they arent impacting millions of users, unlike when Google or Meta does things.
Raed667 · 1d ago
I was surprised to see doctors and even a bakery on the list!
delusional · 1d ago
One of the earliest enforcement actions was against a mailing list. If I remember it was because it CCed all the participants instead of BCCing them.
riffraff · 1d ago
5 years? I think it was last week.
detaro · 1d ago
[flagged]
No comments yet
gdwatson · 1d ago
As an American, my reservations about European privacy laws are related to jurisdiction, and none of them applies here. I welcome this decision.
phendrenad2 · 18h ago
No no, you misunderstand. Over here in America we have given up on fighting it and prefer to let mega-corps like Google and Meta own the advertising space. Smaller companies quickly moved to a subscription model, at least until the EU finds a way to make money illegal.
apples_oranges · 1d ago
Americans are still asleep at 7GMT ;)
andsoitis · 1d ago
> cries from the Americans that this was just the Europeans finding excuses to take advantage and steal from poor innocent American companies
>You guys remember how 5+ years ago, an headline like this on HN would invariably prompt cries from the Americans
I remember it. I'm pretty sure it's always just been the sellouts that work for anti-consumer tech companies (and the wannabes). Sometimes they're rationalizing their career to themselves and us, othertimes they're aware and just saying whatever they think will keep the con running for as long as possible.
One of the things HN serves as is a no-risk place for scrupleless software businesspeople to practice how to swindle nerds with specious arguments.
samplatt · 1d ago
Er... No, sorry, I don't remember anyone saying that at all.
surgical_fire · 1d ago
Amazing. On like every thread of EU fining some US company for things such as privacy violations there's a stream of mor... er... users claiming that EU is only using that as a revenue stream to extract money from US companies because they have no homegrown businesses or similar bullshit (despite European companies being fines the same way).
Hell, you can find some of the same moronic arguments on this very thread still.
Symbiote · 22h ago
Trump also made the claim, back when he was justifying tariffs against the EU.
surgical_fire · 21h ago
I hope EU cranks up the pressure against US because of that, using the EU Anti- Coercion Instrument as designed.
snickerdoodle12 · 1d ago
I very clearly do. So that's weird.
bigyabai · 1d ago
It entirely saturates discussions about companies that rhyme with "Snapple" in my experience.
oblio · 1d ago
Oh, for Snapple, don't forget the Snapp Store discussions:
"My grandparents have a clean iPhone for 40 years because of the Snapp Store!! Nobody should be able to install things from 3rd party Snapp Stores, they might be harmful!!"
jxjnskkzxxhx · 1d ago
LOL there's people saying it in this thread.
thaumasiotes · 1d ago
> How the mood has changed on this huh.
I don't think you're right on the timing, but a related essay:
Just to clarify I completely agree with the fines in both the US and EU, remember big corporations are not your "team" (for the vast majority of you).
pjc50 · 18h ago
I'm also reminded of the record-breaking fines against British Petroleum.
But the entire structure of US car design is an anti-competitive barrier! There's all sorts of special extra requirements and taxes to discourage overseas manufacturers or smaller cheaper cars, and Americans are proud of that! Not to mention the recent fad for tariffs.
piva00 · 1d ago
Those companies choose to operate in the EU, if they don't like the legal environment they can just pack up and leave. Why do you think they don't do that? Why do you feel the need to defend companies breaking the law?
123yawaworht456 · 21h ago
lease an apartment
spend a lot of time and money moving your things there
live there for a decade
the landlord shows up and informs you that you are forbidden from using the toilet between 6 PM and 8 PM, effective immediately, punishable by a fine equal to your monthly income. why? fuck you, that's why. if you don't like the legal environment you can just pack up and leave
const_cast · 11h ago
The difference is the toilet is pretty important. Hard to live without a toilet...
But these privacy-violating actions are completely optional, so optional in fact you need to go very far out of the way to implement them. Most of them rely on shady pseudo-vulnerabilities, which may be patched at any point. And they sometimes are - I mean, entire businesses have been killed by this sort of thing.
It's risky. You're relying on the legislator, yes, but you're also relying on platforms. If your revenue rides on some rare, convoluted "feature" in Chrome, for instance, Google can fix that at any point and you're fucked.
So just stop doing that. It's a bad idea. These companies need to find more reliable and ethical revenue streams. If you do volatile shit then yeah, it's volatile.
subscribed · 19h ago
These companies (notably Google, apple, twitter) have bo problem bending to the law in China but _somehow_ they have problems with Europe? I guess fines aren't high enough)
fireflash38 · 19h ago
Yeah, makes sense. Landlords do super shitty things to people and will push them as hard as they can to make money. And if you signed a lease that let them do that that's on you right? And you can leave if you don't like it?
subscribed · 19h ago
Lease an apartment.
Pretend you're a normal person.
Secretly snoop on all the phone calls, conversations, documents in the whole house.
Take creepy pictures and upload them "for later"
Monitor all the internet traffic in the house, for all the other inhabitants.
Throw a hissy fit when you're fined for knowingly, blatantly breaking the law for years (and sometimes lying about that).
I don't think it's a suitable analogy but you do you to try to justify companies breaking the law :)
As far as I hear from the HN crowd if the company feels it's not profitable anymore they will just pack up and leave (hence why many here defend not taxing corporations), this is exactly that case: there's money to be made, they will stick around, perhaps realising that paying fines is eating into their profits and change behaviour. If they don't like it, just pack up and leave, corporations are only interested in making profits, housing is not an analogous to that as much as you might want to play that card.
surgical_fire · 1d ago
Meta is very welcome to stop operating in EU to not be subject to their laws.
Or, you know, they could just respect the law. Like other companies that operate here. Novel concept I know.
And, to complement your lack of research, EU companies are subject to those laws and are frequently fined as well for those violations.
giingyui · 1d ago
You can’t really express those opinions here anymore because of the overall political shift of the website, which is enforced (always has been) through the moderation system. It’s not specifically about this particular decision.
juliangmp · 1d ago
I really hope it turns into a class action because I'd so wish to be part of it
And, just like always, nothing meaningful will be done.
veunes · 1d ago
Interesting that the court emphasized identifiability even without logging in. That cuts right through the usual "anonymous tracking" defense a lot of companies hide behind
Biologist123 · 1d ago
Very interesting. Could become a geopolitical and trade football between Europe and US. Tariffs anyone? Ultimately it’s a question of power: will Europe allow its citizens to be predated upon? My guess is probably.
In Germany consumers does not need to file a lawsuit, they are included by default, which is very different than all other European countries.
VikingTechGuy · 18h ago
You can scan any website or ecommerce solution and see which 3rd parties they load before consent using this free privacy scanner -> https://privacyscanner.aesirx.io/
redleader55 · 20h ago
I have a few big problems with this ruling:
1. The sum. You are tracked and you get shown some ads. How does that causes you 5k EUR in damages?
2. Responsibility. If a site decides to add tracking or ads from a company, is only the ads company responsible for the tracking and damages?
3. Many of the services on the internet are free or cheaper because of ads. Because of that I find the attitude of the judges making these rulings disingenuous.
4. How much of this is outrage against American companies caused by the rift between US and Europe?
sidcool · 1d ago
Call me cynical, but nothing's going to change
herbst · 1d ago
Imo a lot of change is already happening. The sentiment wasn't good the last years but now it's turning into going away from American services rather sooner than to late.
More and more European alternatives pop up, governments and companies are switching stack.
It will take a while to migrate, but I am sure effects will be visible soon enough to US companies
emsign · 1d ago
If these rulings and laws were meaningless, the Trump administration wouldn't be blackmailing the EU over it.
charcircuit · 17h ago
Just because a profile can be valuable, that doesn't mean that someone creating that profile damages you by that amount. If I document a celebrity's hobbies I'm not damaging the celebrity.
gherkinnn · 1d ago
Meta and their scummy little ways. And this is just what we know they're up to.
verst · 1d ago
These tracking "pixels" are used across the entire ad tech industry. It is very pervasive. Amazon, Twitter / X, Facebook / Meta, Pinterest, Snap, TikTok...
Walf · 1d ago
It's not just pixels. They strongly encourage site owners to send (normalised and hashed) personal data from every interaction to them, with the promise of better targeting for the site's ads. You cannot block this or opt out because it's server-side.
JimDabell · 1d ago
> You cannot block this or opt out because it's server-side.
Facebook’s latest approach is to give people instructions on setting up a relay server in their own infrastructure so that privacy software that blocks third-party tracking still works, even when it looks at IP addresses to detect things like CNAME cloaking.
The positive of that approach (for users) is that it relies on client-side scripts, so it's possible for privacy tools to target those.
herbst · 1d ago
Another reason not to deal with any company that has any kind of Facebook focus at all
rkagerer · 1d ago
Yep, and it doesn't make it right.
I recently told my bank I don't agree to their new privacy terms. I sent them all 26 pages, marked up with various red lines crossing out the objectionable clauses. One was about tracking pixels, web beacons and the like.
There was also much worse stuff contained like behavioral profiling and sharing my data with outside advertising conglomerates.
After-the-fact opt out mechanisms were described for a lot of it, but I explained very clearly that I am not consenting in the first place. The fact they provide an opt out for some of the most shameful portions reinforces that they don't need consent in the first place to provide me with banking services. I don't know who in their right mind would accept such terms. Unfortunately most individuals I know wouldn't have a clue what the jargon means or how it affects them.
A meeting was set up with my bank manager, and to underscore my point I brought in the original, aged-parchment paperwork I signed over two decades ago to open the account. That was only 5 pages long by comparison.
I also brought in a screenshot from Facebook that proved the bank uploaded some information about me to them in a Custom Audience customer list (a tool offered to advertisers that perversely deputizes them in Meta's quest to ingest all of our personal information). They have no business telling Meta or other third parties who I bank with (which is what the hashed uploaded lists are used to match & confirm).
The manager was quite understanding of my concerns and agreed none of what I objected to is legitimately needed to provide me with banking. I politely explained if they expected me to agree to this garbage I would take my personal and business deposits elsewhere.
I was pragmatic, and realize they're not going to reprogram their whole web portal just for me, but told them if they were going to go ahead and embed web beacons and the like in pages served up to me, or engage in more aggressive privacy violations, then they're doing so without my consent (an important distinction if I suffer damages down the line). In the end, my redlined version of their policy was affixed to my file to document that I do not in fact accept their terms, and they got to keep me as a customer. Not as good as a countersigned revised agreement, but enough to indicate my intent should consensus ad idem come into question.
I realize this was a lot of time and effort (and some risk of further nuisance if it failed and my accounts had to be closed), expended for something most people don't seem to care about. But the growing trend of companies outside tech adopting all our worst dark patterns really gets my gears grinding.
The story goes to show that if you choose to push back, sometimes you can win.
Good job Europe, keep blazing a trail which I hope my country eventually decides to follow.
vasco · 1d ago
So you're still tracked the same way as everyone else and they didn't sign any of your changes, so how are you protected?
const_cast · 11h ago
I think if class-actions come up in the future they have a pretty good case. It seems to me there's a good chance of getting the ball rolling on this stuff - the world is becoming much more aware of the risks associated with online privacy.
Really, the banking industry should be some of the most aware. They lose millions, maybe billions, to fraud and identity theft. The fact they engage with it and enable it demonstrates how strong the suits are and how little they understand.
Want to stop identity theft? Stop leaking personal data to hundreds of third parties. We don't know if they're running their shitty analytics on a Raspberry Pi taped under someone's cubicle. There's a reason we keep having data breaches.
rkagerer · 1d ago
It's a fair question.
Mainly, they'd have a much harder time basing a defense on having had my consent, should I have cause to sue them down the line.
> they didn't sign any of your changes
I didn't sign any new agreements of theirs, either.
The manager did of course check that all the relevant knobs and dials in their system able to be turned off were set as such.
And it caused them some minor grief. If enough of us were to push back like this, the grief might grow sufficiently for them to do something about (like maybe recognize nobody wants these godawful policies and there's a great business opportunity for companies that decide to build a brand premised on customer respect).
vasco · 20h ago
I see, its better than nothing indeed. The only grief you can cause them that actually matters is moving your money though, but I'm not sure there's any bank that doesn't do similar tracking.
fsflover · 1d ago
But did you actually try to find a better bank not sending your data to Facebook? In EU, these should exist.
bluecalm · 1d ago
>>Good job Europe, keep blazing a trail which I hope my country eventually decides to follow.
While GDPR had some good intentions the way it implemented in practice just makes things more difficult for consumers and changes little.
For example in Poland one of the major banks still forces you to accept them sharing your information with advertising partners.
The main effect of the regulation is that you waste 30 seconds on every call to a business you make for listening about stuff about their privacy policy and the on every form you have to consent to something or be denied service.
rkagerer · 1d ago
I hate how it spurred every website under the sun to ask for cookie consent. My gut says that practice (or at least its breadth) stems from a misunderstanding of the legislated requirements.
> you have to consent to something or be denied service
I hate this too.
But I hope consumers start to recognize it isn't always the case. Just because contracts are laid out on screens nowadays instead of paper, doesn't mean they're immutable and must uniformly be accepted as-is. We've been shepherded into a culture of just agreeing to whatever crap is placed in front of us. This is one reason I refuse to use DocuSign and always insist on paper or PDF's. I recognize not everyone has bargaining power, and I was fortunate in my case.
Interestingly, where there is unequal bargaining power, that fact itself can on occasion bite back against the company. Eg. In my jurisdiction, it obliges the judge to interpret any ambiguity of terms in favour of the party with less agency.
I generally think companies are overestimating how well some of the more unscrupulous terms we're seeing these days will hold up under the test of litigation.
noirscape · 23h ago
> My gut says that practice (or at least its breadth) stems from a misunderstanding of the legislated requirements.
Sorta yes. The "cookie law" is the EU ePrivacy Directive (not the same as the GDPR, it predates the GDPR by around a decade) and doesn't directly talk about cookies. Rather, it talks about any means in which a remote server can store data on your PC (which includes cookies, but also things like LocalStorage - the law is resilient to innovation).
Basically if you want to store data for things that aren't obviously necessary to provide service, you need to ask for consent to store this information (getting consent for using and sharing information obtained by using these cookies is a separate matter, that's what the GDPR is for). So a shopping cart or a session cookie don't need consent banners, since those get filled out in accordance with things users expect (if you login, it's expected that the site knows who you are in future requests, if you add an item to a shopping cart, it's expected to be kept somewhere and to be cross referenced. Rejecting a cookie consent banner can also place a cookie for this same reason; users expect to not be shown that popup again if they said no.)
Cookie banners are effectively an attempt to maliciously comply with this directive combined with legal paranoia. The second one is easier to explain; if you need consent to store some cookies, then legal is just gonna tell you that you need consent to store any cookies, no matter how trivial. This is standard legal paranoia, which leads to sites that don't place tracking cookies getting consent banners.
The first is more malicious; browsers can send indicators to servers that they don't want to be tracked at all. That's the DNT header or the GPC header. They are basically the same thing, except the GPC header allegedly has more legal backing - to my knowledge there's no evidence that DNT doesn't work for this purpose and in fact, GPC is worse at protecting against tracking. GPC only opts out against selling data, DNT opts out against tracking for any purpose whatsoever.
Advertisers habitually ignore/use these headers for fingerprinting, but a German court has decided that the DNT header has full legal backing as a "I don't want to be tracked" indicator in a case against LinkedIn and that spamming users with consent popups if these headers are present is essentially pestering them to relinquish consent that isn't going to be given. The GPC Header has no such protections, but might be more amenable to the (worse) Californian privacy laws. Advertisers and other companies like to pretend that the DNT header has no legal backing, but it does. Cookie banners could entirely be handled on the browser side, but browsers and advertisers refuse to take this idea seriously because it'd lead to mass rejection of tracking. (Due to perverse incentives at this point; both Mozilla and Google own/are ad companies respectively. This is why Mozilla quietly killed the DNT header at the start of the year, in favor of the GPC header.)
The main point is access to the terminal equipment of the consumer has to be explicit, there is no relation to DNT etc.
rkgkglflms · 1d ago
On the contrary, GDPR actually says that it’s illegal to condition content or services on the acceptance of tracking, if anything is provided after accepting optional tracking, it must also be available if declining tracking. This is very easy for a layman to understand when reading GDPR.
What your bank is doing is clearly illegal.
bluecalm · 1d ago
With GDPR it matters how countries incorporate it in their law and that doesn't work in practice.
>>GDPR actually says that it’s illegal to condition content or services on the acceptance of tracking
Good intentions, doesn't work.
You call a bank, they read a contract to you for 5 minutes you spot some sharing with partners (who knows who they are) there, you try to protest saying "ok but let's make sure it's not for advertisement" and the answer is "I can't do anything that's the contract you either accept or we can't open an account for you".
>>This is very easy for a layman to understand when reading GDPR.
What matters are laws of specific countries that implement it and what results are in practice. That's why I wrote about good intentions and real effects.
>>What your bank is doing is clearly illegal.
And there is nothing I can do about it.
mafuy · 1d ago
Is there a consumer protection institution in your country? They could sue on your behalf.
Kbelicius · 23h ago
>> What your bank is doing is clearly illegal.
> And there is nothing I can do about it.
So your argument for why GDPR is bad is that it is not being followed by all that it applies to... I mean, what do you expect as a response to that besides "That is stupid"?
bluecalm · 14h ago
My point is that it's written in a way that makes malicious compliance possible.
One way to improve it would be to make it clear you can't require any consent before providing your service. It's either necessary or don't ask for it. As it is in Poland you are now served a long form at every opportunity and you have to agree to some part of it or be denied service. Online or when calling you get to listen to a long formula about privacy policy and who administer your data every time you call a bank or most other institutions. It made everyday life worse.
There is no way for me to verify that a given entity is following the contract anyway. GDPR could easily be transparent for consumers/clients. Instead it resulted in additional burden.
PicassoCTs · 1d ago
The denial to market by vetoing is working, but its not a long term strategy. To push that back, the eu would have to push its own social network alternative, that undermines Metas growth in those fields.
I can not see that yet-
tossandthrow · 1d ago
> the eu would have to push its own social network alternative
Why?
A thing it seems like a lot of people are missing is that European companies are taken to the same (if not a higher) standard for compliance with EU law.
The EU regulates to ensure that market participants work fairly - these rules are generally not about trading barriers (if they were, they'd do it poorly)
herbst · 1d ago
The next social network will not be another social network.
Most parts of Europe long moved away from any social media dependency all that's left is IM/chatting.
Where only WhatsApp is a somewhat popular American software, the rest isn't.
Edit:// to clarify I am not saying people aren't using Instagram or even Facebook. My point is they don't use it to socialize anymore
vanviegen · 1d ago
> Most parts of Europe long moved away from any social media dependency all that's left is IM/chatting.
Glancing at people's phone screens while riding public transport, I beg to differ. Doom scrolling everywhere. Though much of it is arguably not really 'social network'-like, as most posts appear to be from strangers half a globe away.
herbst · 1d ago
IMO There is nothing classicly social about that, none of these apps have any central aspect that makes you engage with people you actually know.
they are just doomscrolling ad platforms not social media in my opinion. It didn't replace anything it just invented a new thing, social is stell well and alive in IMs, slack, discord, ...
ranguna · 1d ago
I'd love to agree, but 99% of the people I know use Instagram more than once per day.
herbst · 1d ago
That's totally not my experience at all to be honest. But we all have our unique and different bubbles we end up in.
I know a lot of people with children quasi depend on WhatsApp for their children activities, when in other circles Telegram or Signal would be way more common and the obvious choice.
Edit:// also do they use it as social media or to consume media/ads? If they don't use it as mainly social my point might still be true
tossandthrow · 1d ago
The question is if you see Instagram as a social media or as a feed.
On my own Instagram people who I know make up maybe 1 piece of content every second day.
Otherwise it is Ai generated content that is, unfortunately, very engaging but of a very low quality.
So I understand why there are a lot of people on Instagram.
(personally, I prefer to ruin my health with i
IPAs over doom scrolling)
saubeidl · 1d ago
Yeah it does feel like social media is... kinda over?
Everyone I know is tired of the concept and tired of the tracking and profiling it entails.
nitwit005 · 1d ago
If there were some huge multi-national social media company headquartered in France, I don't see any reason to believe things would be better. It might be theoretically easier to hold them accountable, but I suspect EU governments would be more prone to listen to their lobbying instead.
ranguna · 1d ago
Why France?
France is not exempt from its anti privacy law attempts around mass surveillance.
nitwit005 · 14h ago
I picked a EU country. It's an example.
edelbitter · 1d ago
I can subscribe to the people I want to keep up with just fine. I do not need alternative ad-money-fueled intermediaries that get to decide what to insert into and remove from my feed. If there are no indefinitely growing profits to be made there, that is perfectly okay.
Germany doesn't have the same litigation incentive structures as the US - no contingency fees, loser-pays costs, and relatively limited collective redress options. Most German consumers aren't going to file individual €5,000 lawsuits over tracking pixels, especially given the legal costs and time involved.
Personally, I hope this gets picked up by a consumer protection organization or a well-funded litigation group. Germany has been gradually expanding its collective action framework, but it's still primarily driven by qualified entities rather than individual plaintiffs.
This is also why there currently are class action lawsuits against X and Tiktok based in Germany with claims of damages of EUR 500 and EUR 2000.
Completely agree that if it's a similarly straightforward process there will be businesses offering to litigate on the users' behalf and collect a fee, I'd be jumping on it if I only had to file a report and wait for the work to be done to collect a couple thousand €.
This seems like the bizarro world version of American debt collection firms, cool!
For example, the court ruled that the plaintiff is entitled to these damages without even hearing them personally on what kind of injury they sustained. This is an interesting direction, and we will see how it is argued in the decision itself. I would assume this could be something that Meta challenges on appeal.
Another way to go would be to argue that this lawsuit involves unresolved questions of EU law that need to be addressed by the ECJ.
In either case, this verdict will create some legal uncertainty in the short term, and I assume many people will sue---but we shall see what happens on appeal and perhaps at the ECJ, which will perhaps be a couple of years out.
"The court’s decision exposes all websites and apps using tracking technology to significant lawsuits, experts said."
"Meta, Betreiberin der sozialen Netzwerke Instagram und Facebook, hat Business Tools entwickelt, die von zahlreichen Betreibern auf ihren Webseiten und Apps eingebunden werden und die Daten der Nutzer von Instagram und Facebook an Meta senden. Jeder Nutzer ist für Meta zu jeder Zeit individuell erkennbar, sobald er sich auf den Dritt-Webseiten bewegt oder eine App benutzt hat, auch wenn er sich nicht über den Account von Instagram und Facebook angemeldet hat. Die Daten sendet Meta Ireland ausnahmslos weltweit in Drittstaaten, insbesondere in die USA. Dort wertet sie die Daten in für den Nutzer unbekanntem Maß aus."
It doesn't matter whether GDPR mentions any specific word. What matters is what the technologies referred to by the word "tracking" actually do. And what they do clearly requires consent under GDPR.
The paragraph you posted implies (but does not explicitly state) that Facebook's ability to identify individual users would still be noncompliant even if the website has received consent from the user to embed Facebook's technology. Or does the court blame the website's noncompliance on Facebook?
But in the end this kind of thing shouldn't be regulated by lawsuits from individuals. The fines as I remember it can be up to 4% global annual revenue and it's about time someone actually handed a fine of 4% global annual revenue to a company the size of Meta, so companies finally realize that the law isn't just a recommendation.
There are some issues with contingency fees in German legal professional law. However, it can be argued that suing for these 5,000 EUR is just "collections", so it may be allowed.
The risk lies elsewhere: As I outlined in another comment, there is reason to believe that this may not stand on appeal, or at least that other courts in other parts of Germany may decide differently. As a result, it takes a lot of capital to keep all of these lawsuits going until the Federal Court of Justice or the ECJ have decided and there is legal certainty.
There is a EU directive that allows for "representative action" but it's much narrower scope compared to what Americans are familiar with in class action.
For example there's a law that says the airline needs to pay you 400€(?) if your flight is delayed by more than 2h if it's due to the airlines fault.
There's a company that handles these cases for 130€.
That's 270€ you get and you just need to enter some data.
I never used one of the "collection agencies", because it's an incredibly easy process to do yourself. Yes some airlines try to wiggle out of it, but you just threaten them with going to arbitration (I think that's what it was? I've moved away from Europe several years ago), and show that you know the rules and they quickly let up, because IIRC they get fined (not just your compensation) if they get found to be in the wrong.
Most of the world, actually. Pure common law systems are just in CANZUKUS (and a few dozen of other minuscule former British colonies).
Additionally, it helps to actually learn how the current law developed - it primarily was modeled after the german Bundesdatenschutzgesetz, which was put into law in a modern form in the 90s, long before FAANG.
[0] see the tracker: https://www.enforcementtracker.com/
Though probably safe to assume the smaller fines against smaller companies with smaller lobbying^H^H^H^H^H^H legal teams most likely have :-)
Speaking from personal experience, American companies, especially the big ones, tend to treat everyone else as "Americans that they don't know they're American yet" or alternatively "slightly dumb Americans".
At least for one of them, yeah, they apply the legal laws, but the general decisions are taken in the US with little regard for local "non-impeding laws", I would call them. "Impeding laws" would be laws that would block the launch of something (for example they wouldn't attach an AR-15 to every product sold). "Non-impeding laws" would for example be, labor laws. They just assume that what works in the US sort of works everywhere else and deal with the consequences along the way.
Again just a rough feeling from the list but I would speculate that over 50 percent of fines in total were towards US or non-EU based companies.
In fact Meta alone is fined more than everyone else combined.
What exactly am I missing ?
It's a bit like the sweatshop argument. If your company wins out by using sweatshops, yeah, you're going to end up with the billion dollar argument. But if a certain market doesn't want stuff produced by sweatshops, and they decide to dis-incentivize it by tariffing it, that:
a) makes sense from their point of view
b) is moral from a global perspective
Similar approach here.
But saying that the fines are mostly towards EU members when over 2/3 is fined towards US companies is misrepresenting the data and the opposing viewpoint.
No comments yet
* you're going end up with the billion dollar company
If a company does business in the EU, it's dealing with EU citizens, giving the EU jurisdiction over how that business is conducted.
The EU absolutely has full legal standing for this; if big tech doesn't want to abide by it, they can always leave the EU.
American companies get fined more often for the simple reason that they break the GDPR more often since the US lacks the same legal privacy framework, which means they don't have the same incentive to comply with it and instead try to rules lawyer around it.
No, the EU is trying to protect the rights of its citizens.
If they wanted to "shake down big tech" they'd just do a Turkey or India and pressure them to do their bidding in terms of censorship and information exchange.
We are already leaning on US intelligence agencies for data and every audit finds no problem in how the US handles EU data... get real - the EU is just not in the position to pull the same move because it is not the same kind of entity or legal structure, they do tariffs and regulations/collecting fines.
It's not a shake down, it's the fucking law which they don't follow and have to pay fines accordingly. Every single business in the EU has to follow these laws, if the US-based ones are not taking proper measures to not act illegally that's on them, not on the legislation, this shake down narrative is quite tired by now.
> Again just a rough feeling from the list but I would speculate that over 50 percent of fines in total were towards US or non-EU based companies.
Perhaps because the US companies are more eager in breaking laws and figuring it out later? Isn't that the whole take on EU vs US business approach, the US ones are big risk takers (including in acting illegally) vs EU ones being risk-averse?
I feel disheartened that this narrative is still spewed on HN, it's just vitriol, the US companies are breaking the law of EU members, if they do business here they need to follow the law, it's absurdly simple.
Whatever this is based on - OP was misrepresenting the data.
US companies have been fined larger sums because their transgressions are more common, they do it repeatedly, and their global revenue is higher, there's no conspiracy here, it's exactly how the law is written.
I invite you to re-read their point:
> The vast majority of fines are towards european businesses.
Which is true, the majority of fines are towards EU-based businesses, not the majority of the amount in fines.
Again, if US-based companies with a much higher revenue and market penetration weren't breaking the laws they wouldn't be levied the higher fines.
That’s a lie, and you know it.
Spotify is not a “gatekeeper” according to the DMA. Why? Because there is a specific carve out for streaming businesses. German newspapers do not have to comply with the GDPR. Why? Again, because there is a specific carve out for newspapers.
These laws are specifically written so that they only apply to businesses that by an unbelievably amazing series of coincidences just happen to be those not based in the EU.
Also known as a shakedown.
Edit: found the "carve out" for newspapers: https://data.consilium.europa.eu/doc/document/ST-6087-2021-I...
And it applies to all newspapers so there's no distinction between being German or American.
If you believe it's a shakedown maybe you are looking at this with very nationalistic eyes, if US companies cannot abide by the law it's on them, most other companies do.
And Spotify doesn't have a carve out, if you read the DMA you'll understand why streaming is not considered a gatekeeper (since it's not a walled garden).
No comments yet
Spotify found in violation of EU data protection laws by Stockholm Court - https://www.investing.com/news/stock-market-news/spotify-fou...
Or what about Enel (Italian): https://www.reuters.com/business/energy/italy-regulator-fine...
Or Criteo (French): https://techcrunch.com/2023/06/22/adtech-giant-criteo-his-wi...
H&M (Swedish) fined for breaking GDPR over employee surveillance: https://www.bbc.com/news/technology-54418936
etc.
I remember it. I'm pretty sure it's always just been the sellouts that work for anti-consumer tech companies (and the wannabes). Sometimes they're rationalizing their career to themselves and us, othertimes they're aware and just saying whatever they think will keep the con running for as long as possible.
One of the things HN serves as is a no-risk place for scrupleless software businesspeople to practice how to swindle nerds with specious arguments.
Hell, you can find some of the same moronic arguments on this very thread still.
"My grandparents have a clean iPhone for 40 years because of the Snapp Store!! Nobody should be able to install things from 3rd party Snapp Stores, they might be harmful!!"
I don't think you're right on the timing, but a related essay:
https://www.imightbewrong.org/p/why-doesnt-hitler-mcfuckface...
has it? if anything, EU continues to fleece US companies with nonsensical, hastily-implemented laws and absurd fines.
https://duckduckgo.com/?q=EU+DSA+twitter
Just to clarify I completely agree with the fines in both the US and EU, remember big corporations are not your "team" (for the vast majority of you).
But the entire structure of US car design is an anti-competitive barrier! There's all sorts of special extra requirements and taxes to discourage overseas manufacturers or smaller cheaper cars, and Americans are proud of that! Not to mention the recent fad for tariffs.
spend a lot of time and money moving your things there
live there for a decade
the landlord shows up and informs you that you are forbidden from using the toilet between 6 PM and 8 PM, effective immediately, punishable by a fine equal to your monthly income. why? fuck you, that's why. if you don't like the legal environment you can just pack up and leave
But these privacy-violating actions are completely optional, so optional in fact you need to go very far out of the way to implement them. Most of them rely on shady pseudo-vulnerabilities, which may be patched at any point. And they sometimes are - I mean, entire businesses have been killed by this sort of thing.
It's risky. You're relying on the legislator, yes, but you're also relying on platforms. If your revenue rides on some rare, convoluted "feature" in Chrome, for instance, Google can fix that at any point and you're fucked.
So just stop doing that. It's a bad idea. These companies need to find more reliable and ethical revenue streams. If you do volatile shit then yeah, it's volatile.
Pretend you're a normal person.
Secretly snoop on all the phone calls, conversations, documents in the whole house.
Take creepy pictures and upload them "for later"
Monitor all the internet traffic in the house, for all the other inhabitants.
Throw a hissy fit when you're fined for knowingly, blatantly breaking the law for years (and sometimes lying about that).
https://wire.com/en/blog/metas-stealth-tracking-another-eu-w...
As far as I hear from the HN crowd if the company feels it's not profitable anymore they will just pack up and leave (hence why many here defend not taxing corporations), this is exactly that case: there's money to be made, they will stick around, perhaps realising that paying fines is eating into their profits and change behaviour. If they don't like it, just pack up and leave, corporations are only interested in making profits, housing is not an analogous to that as much as you might want to play that card.
Or, you know, they could just respect the law. Like other companies that operate here. Novel concept I know.
And, to complement your lack of research, EU companies are subject to those laws and are frequently fined as well for those violations.
https://www.linkedin.com/pulse/5000-pixel-tracker-why-latest...
In Germany consumers does not need to file a lawsuit, they are included by default, which is very different than all other European countries.
1. The sum. You are tracked and you get shown some ads. How does that causes you 5k EUR in damages?
2. Responsibility. If a site decides to add tracking or ads from a company, is only the ads company responsible for the tracking and damages?
3. Many of the services on the internet are free or cheaper because of ads. Because of that I find the attitude of the judges making these rulings disingenuous.
4. How much of this is outrage against American companies caused by the rift between US and Europe?
More and more European alternatives pop up, governments and companies are switching stack.
It will take a while to migrate, but I am sure effects will be visible soon enough to US companies
Facebook’s latest approach is to give people instructions on setting up a relay server in their own infrastructure so that privacy software that blocks third-party tracking still works, even when it looks at IP addresses to detect things like CNAME cloaking.
https://developers.facebook.com/docs/marketing-api/conversio...
I recently told my bank I don't agree to their new privacy terms. I sent them all 26 pages, marked up with various red lines crossing out the objectionable clauses. One was about tracking pixels, web beacons and the like.
There was also much worse stuff contained like behavioral profiling and sharing my data with outside advertising conglomerates.
After-the-fact opt out mechanisms were described for a lot of it, but I explained very clearly that I am not consenting in the first place. The fact they provide an opt out for some of the most shameful portions reinforces that they don't need consent in the first place to provide me with banking services. I don't know who in their right mind would accept such terms. Unfortunately most individuals I know wouldn't have a clue what the jargon means or how it affects them.
A meeting was set up with my bank manager, and to underscore my point I brought in the original, aged-parchment paperwork I signed over two decades ago to open the account. That was only 5 pages long by comparison.
I also brought in a screenshot from Facebook that proved the bank uploaded some information about me to them in a Custom Audience customer list (a tool offered to advertisers that perversely deputizes them in Meta's quest to ingest all of our personal information). They have no business telling Meta or other third parties who I bank with (which is what the hashed uploaded lists are used to match & confirm).
The manager was quite understanding of my concerns and agreed none of what I objected to is legitimately needed to provide me with banking. I politely explained if they expected me to agree to this garbage I would take my personal and business deposits elsewhere.
I was pragmatic, and realize they're not going to reprogram their whole web portal just for me, but told them if they were going to go ahead and embed web beacons and the like in pages served up to me, or engage in more aggressive privacy violations, then they're doing so without my consent (an important distinction if I suffer damages down the line). In the end, my redlined version of their policy was affixed to my file to document that I do not in fact accept their terms, and they got to keep me as a customer. Not as good as a countersigned revised agreement, but enough to indicate my intent should consensus ad idem come into question.
I realize this was a lot of time and effort (and some risk of further nuisance if it failed and my accounts had to be closed), expended for something most people don't seem to care about. But the growing trend of companies outside tech adopting all our worst dark patterns really gets my gears grinding.
The story goes to show that if you choose to push back, sometimes you can win.
Good job Europe, keep blazing a trail which I hope my country eventually decides to follow.
Really, the banking industry should be some of the most aware. They lose millions, maybe billions, to fraud and identity theft. The fact they engage with it and enable it demonstrates how strong the suits are and how little they understand.
Want to stop identity theft? Stop leaking personal data to hundreds of third parties. We don't know if they're running their shitty analytics on a Raspberry Pi taped under someone's cubicle. There's a reason we keep having data breaches.
Mainly, they'd have a much harder time basing a defense on having had my consent, should I have cause to sue them down the line.
> they didn't sign any of your changes
I didn't sign any new agreements of theirs, either.
The manager did of course check that all the relevant knobs and dials in their system able to be turned off were set as such.
And it caused them some minor grief. If enough of us were to push back like this, the grief might grow sufficiently for them to do something about (like maybe recognize nobody wants these godawful policies and there's a great business opportunity for companies that decide to build a brand premised on customer respect).
While GDPR had some good intentions the way it implemented in practice just makes things more difficult for consumers and changes little. For example in Poland one of the major banks still forces you to accept them sharing your information with advertising partners.
The main effect of the regulation is that you waste 30 seconds on every call to a business you make for listening about stuff about their privacy policy and the on every form you have to consent to something or be denied service.
> you have to consent to something or be denied service
I hate this too.
But I hope consumers start to recognize it isn't always the case. Just because contracts are laid out on screens nowadays instead of paper, doesn't mean they're immutable and must uniformly be accepted as-is. We've been shepherded into a culture of just agreeing to whatever crap is placed in front of us. This is one reason I refuse to use DocuSign and always insist on paper or PDF's. I recognize not everyone has bargaining power, and I was fortunate in my case.
Interestingly, where there is unequal bargaining power, that fact itself can on occasion bite back against the company. Eg. In my jurisdiction, it obliges the judge to interpret any ambiguity of terms in favour of the party with less agency.
I generally think companies are overestimating how well some of the more unscrupulous terms we're seeing these days will hold up under the test of litigation.
Sorta yes. The "cookie law" is the EU ePrivacy Directive (not the same as the GDPR, it predates the GDPR by around a decade) and doesn't directly talk about cookies. Rather, it talks about any means in which a remote server can store data on your PC (which includes cookies, but also things like LocalStorage - the law is resilient to innovation).
Basically if you want to store data for things that aren't obviously necessary to provide service, you need to ask for consent to store this information (getting consent for using and sharing information obtained by using these cookies is a separate matter, that's what the GDPR is for). So a shopping cart or a session cookie don't need consent banners, since those get filled out in accordance with things users expect (if you login, it's expected that the site knows who you are in future requests, if you add an item to a shopping cart, it's expected to be kept somewhere and to be cross referenced. Rejecting a cookie consent banner can also place a cookie for this same reason; users expect to not be shown that popup again if they said no.)
Cookie banners are effectively an attempt to maliciously comply with this directive combined with legal paranoia. The second one is easier to explain; if you need consent to store some cookies, then legal is just gonna tell you that you need consent to store any cookies, no matter how trivial. This is standard legal paranoia, which leads to sites that don't place tracking cookies getting consent banners.
The first is more malicious; browsers can send indicators to servers that they don't want to be tracked at all. That's the DNT header or the GPC header. They are basically the same thing, except the GPC header allegedly has more legal backing - to my knowledge there's no evidence that DNT doesn't work for this purpose and in fact, GPC is worse at protecting against tracking. GPC only opts out against selling data, DNT opts out against tracking for any purpose whatsoever.
Advertisers habitually ignore/use these headers for fingerprinting, but a German court has decided that the DNT header has full legal backing as a "I don't want to be tracked" indicator in a case against LinkedIn and that spamming users with consent popups if these headers are present is essentially pestering them to relinquish consent that isn't going to be given. The GPC Header has no such protections, but might be more amenable to the (worse) Californian privacy laws. Advertisers and other companies like to pretend that the DNT header has no legal backing, but it does. Cookie banners could entirely be handled on the browser side, but browsers and advertisers refuse to take this idea seriously because it'd lead to mass rejection of tracking. (Due to perverse incentives at this point; both Mozilla and Google own/are ad companies respectively. This is why Mozilla quietly killed the DNT header at the start of the year, in favor of the GPC header.)
The main point is access to the terminal equipment of the consumer has to be explicit, there is no relation to DNT etc.
What your bank is doing is clearly illegal.
>>GDPR actually says that it’s illegal to condition content or services on the acceptance of tracking
Good intentions, doesn't work. You call a bank, they read a contract to you for 5 minutes you spot some sharing with partners (who knows who they are) there, you try to protest saying "ok but let's make sure it's not for advertisement" and the answer is "I can't do anything that's the contract you either accept or we can't open an account for you".
>>This is very easy for a layman to understand when reading GDPR.
What matters are laws of specific countries that implement it and what results are in practice. That's why I wrote about good intentions and real effects.
>>What your bank is doing is clearly illegal.
And there is nothing I can do about it.
> And there is nothing I can do about it.
So your argument for why GDPR is bad is that it is not being followed by all that it applies to... I mean, what do you expect as a response to that besides "That is stupid"?
One way to improve it would be to make it clear you can't require any consent before providing your service. It's either necessary or don't ask for it. As it is in Poland you are now served a long form at every opportunity and you have to agree to some part of it or be denied service. Online or when calling you get to listen to a long formula about privacy policy and who administer your data every time you call a bank or most other institutions. It made everyday life worse.
There is no way for me to verify that a given entity is following the contract anyway. GDPR could easily be transparent for consumers/clients. Instead it resulted in additional burden.
Why?
A thing it seems like a lot of people are missing is that European companies are taken to the same (if not a higher) standard for compliance with EU law.
The EU regulates to ensure that market participants work fairly - these rules are generally not about trading barriers (if they were, they'd do it poorly)
Most parts of Europe long moved away from any social media dependency all that's left is IM/chatting.
Where only WhatsApp is a somewhat popular American software, the rest isn't.
Edit:// to clarify I am not saying people aren't using Instagram or even Facebook. My point is they don't use it to socialize anymore
Glancing at people's phone screens while riding public transport, I beg to differ. Doom scrolling everywhere. Though much of it is arguably not really 'social network'-like, as most posts appear to be from strangers half a globe away.
they are just doomscrolling ad platforms not social media in my opinion. It didn't replace anything it just invented a new thing, social is stell well and alive in IMs, slack, discord, ...
I know a lot of people with children quasi depend on WhatsApp for their children activities, when in other circles Telegram or Signal would be way more common and the obvious choice.
Edit:// also do they use it as social media or to consume media/ads? If they don't use it as mainly social my point might still be true
On my own Instagram people who I know make up maybe 1 piece of content every second day.
Otherwise it is Ai generated content that is, unfortunately, very engaging but of a very low quality.
So I understand why there are a lot of people on Instagram.
(personally, I prefer to ruin my health with i IPAs over doom scrolling)
Everyone I know is tired of the concept and tired of the tracking and profiling it entails.
France is not exempt from its anti privacy law attempts around mass surveillance.