Comment by fluidcruft
5 days ago
Not totally following but it sounds like you are saying one of the things they have been doing involves abusing mandated GDPR cookie notices to secretly track people?
5 days ago
Not totally following but it sounds like you are saying one of the things they have been doing involves abusing mandated GDPR cookie notices to secretly track people?
Yes? The cookie in question is First Party, which means you’ve consented to permitting only that party to track you using it, and not permitting its use for wider behavioral tracking across websites.
However, the locally hosted FB/Yandex listener receives all of these first party cookies, from all parties, and the OPs implication is (I think) that now these non-correlateable-by-consent first party cookies can be or are being used to track you across all sites that use them.
Not only did you only consent to the one party using it, but the browser has robust protections in place to ensure that these cookies are only usable by that party. This “hack” gets around the restriction completely, leveraging a local service to aggregate all the cookies across sites.
This is why things involving cookies for permission to do things were really poison pills. As long as there is a cookie to be tracked, any at all, you have the data exfil/tracking problem. Only thing that changes is where the aggregation happens.
IANAL, but it's not GDPR-conformant consent in any way. Consent needs to be informed, unambiguous, and freely given to be valid and should be easy to reject. The only way for this to be valid would be a consent form with something like:
Allow Meta tracking to connect the Facebook or Instagram app on your device to associate visits to this website with your Meta account. Yes/No (With No selected as a default.)
I am pretty sure that this is a grave violation of the GDPR.
That's probably already part of the consent form websites pop up listing 200 different trackers. If you permit data sharing with Facebook/IG/Meta in the consent form, you're consenting to tracking in general, not just cookie-based tracking.
"No" doesn't even need to be selected as a default, as long as you don't use dark patterns. Making the user manually click yes or no is perfectly valid (as long as you don't make "yes" easier than "no", so if you add an "allow all" button there should be an equally prominent "deny all" button).
Which, on the face of it, sounds like a violation of the GDPR...
The intent of these laws is just so obtuse and unclear! And beyond that complying is technically impossible to implement but you could only understand that if you were a rocket scientist PhD computer science wizkid making $$$$k in California which isn't that much in such a high cost of living area donchaknow. /sardonic
>abusing mandated GDPR cookie notices to secretly track people?
How does that even work? What can GDPR cookie notices can do that the typical tracker can't do?
The cookie preference pop-up is a cookie. To track your preference, they need a cookie. We legally mandated a cookie. They're using the cookie regardless. But no one will call them on it until a critical mass is reached to get cases in a sufficiently large number of jurisdictions to curtail the behavior.