Comment by rkagerer
2 days ago
Yep, and it doesn't make it right.
I recently told my bank I don't agree to their new privacy terms. I sent them all 26 pages, marked up with various red lines crossing out the objectionable clauses. One was about tracking pixels, web beacons and the like.
There was also much worse stuff contained like behavioral profiling and sharing my data with outside advertising conglomerates.
After-the-fact opt out mechanisms were described for a lot of it, but I explained very clearly that I am not consenting in the first place. The fact they provide an opt out for some of the most shameful portions reinforces that they don't need consent in the first place to provide me with banking services. I don't know who in their right mind would accept such terms. Unfortunately most individuals I know wouldn't have a clue what the jargon means or how it affects them.
A meeting was set up with my bank manager, and to underscore my point I brought in the original, aged-parchment paperwork I signed over two decades ago to open the account. That was only 5 pages long by comparison.
I also brought in a screenshot from Facebook that proved the bank uploaded some information about me to them in a Custom Audience customer list (a tool offered to advertisers that perversely deputizes them in Meta's quest to ingest all of our personal information). They have no business telling Meta or other third parties who I bank with (which is what the hashed uploaded lists are used to match & confirm).
The manager was quite understanding of my concerns and agreed none of what I objected to is legitimately needed to provide me with banking. I politely explained if they expected me to agree to this garbage I would take my personal and business deposits elsewhere.
I was pragmatic, and realize they're not going to reprogram their whole web portal just for me, but told them if they were going to go ahead and embed web beacons and the like in pages served up to me, or engage in more aggressive privacy violations, then they're doing so without my consent (an important distinction if I suffer damages down the line). In the end, my redlined version of their policy was affixed to my file to document that I do not in fact accept their terms, and they got to keep me as a customer. Not as good as a countersigned revised agreement, but enough to indicate my intent should consensus ad idem come into question.
I realize this was a lot of time and effort (and some risk of further nuisance if it failed and my accounts had to be closed), expended for something most people don't seem to care about. But the growing trend of companies outside tech adopting all our worst dark patterns really gets my gears grinding.
The story goes to show that if you choose to push back, sometimes you can win.
Good job Europe, keep blazing a trail which I hope my country eventually decides to follow.
So you're still tracked the same way as everyone else and they didn't sign any of your changes, so how are you protected?
I think if class-actions come up in the future they have a pretty good case. It seems to me there's a good chance of getting the ball rolling on this stuff - the world is becoming much more aware of the risks associated with online privacy.
Really, the banking industry should be some of the most aware. They lose millions, maybe billions, to fraud and identity theft. The fact they engage with it and enable it demonstrates how strong the suits are and how little they understand.
Want to stop identity theft? Stop leaking personal data to hundreds of third parties. We don't know if they're running their shitty analytics on a Raspberry Pi taped under someone's cubicle. There's a reason we keep having data breaches.
It's a fair question.
Mainly, they'd have a much harder time basing a defense on having had my consent, should I have cause to sue them down the line.
> they didn't sign any of your changes
I didn't sign any new agreements of theirs, either.
The manager did of course check that all the relevant knobs and dials in their system able to be turned off were set as such.
And it caused them some minor grief. If enough of us were to push back like this, the grief might grow sufficiently for them to do something about (like maybe recognize nobody wants these godawful policies and there's a great business opportunity for companies that decide to build a brand premised on customer respect).
I see, its better than nothing indeed. The only grief you can cause them that actually matters is moving your money though, but I'm not sure there's any bank that doesn't do similar tracking.
But did you actually try to find a better bank not sending your data to Facebook? In EU, these should exist.
>>Good job Europe, keep blazing a trail which I hope my country eventually decides to follow.
While GDPR had some good intentions the way it implemented in practice just makes things more difficult for consumers and changes little. For example in Poland one of the major banks still forces you to accept them sharing your information with advertising partners.
The main effect of the regulation is that you waste 30 seconds on every call to a business you make for listening about stuff about their privacy policy and the on every form you have to consent to something or be denied service.
I hate how it spurred every website under the sun to ask for cookie consent. My gut says that practice (or at least its breadth) stems from a misunderstanding of the legislated requirements.
> you have to consent to something or be denied service
I hate this too.
But I hope consumers start to recognize it isn't always the case. Just because contracts are laid out on screens nowadays instead of paper, doesn't mean they're immutable and must uniformly be accepted as-is. We've been shepherded into a culture of just agreeing to whatever crap is placed in front of us. This is one reason I refuse to use DocuSign and always insist on paper or PDF's. I recognize not everyone has bargaining power, and I was fortunate in my case.
Interestingly, where there is unequal bargaining power, that fact itself can on occasion bite back against the company. Eg. In my jurisdiction, it obliges the judge to interpret any ambiguity of terms in favour of the party with less agency.
I generally think companies are overestimating how well some of the more unscrupulous terms we're seeing these days will hold up under the test of litigation.
> My gut says that practice (or at least its breadth) stems from a misunderstanding of the legislated requirements.
Sorta yes. The "cookie law" is the EU ePrivacy Directive (not the same as the GDPR, it predates the GDPR by around a decade) and doesn't directly talk about cookies. Rather, it talks about any means in which a remote server can store data on your PC (which includes cookies, but also things like LocalStorage - the law is resilient to innovation).
Basically if you want to store data for things that aren't obviously necessary to provide service, you need to ask for consent to store this information (getting consent for using and sharing information obtained by using these cookies is a separate matter, that's what the GDPR is for). So a shopping cart or a session cookie don't need consent banners, since those get filled out in accordance with things users expect (if you login, it's expected that the site knows who you are in future requests, if you add an item to a shopping cart, it's expected to be kept somewhere and to be cross referenced. Rejecting a cookie consent banner can also place a cookie for this same reason; users expect to not be shown that popup again if they said no.)
Cookie banners are effectively an attempt to maliciously comply with this directive combined with legal paranoia. The second one is easier to explain; if you need consent to store some cookies, then legal is just gonna tell you that you need consent to store any cookies, no matter how trivial. This is standard legal paranoia, which leads to sites that don't place tracking cookies getting consent banners.
The first is more malicious; browsers can send indicators to servers that they don't want to be tracked at all. That's the DNT header or the GPC header. They are basically the same thing, except the GPC header allegedly has more legal backing - to my knowledge there's no evidence that DNT doesn't work for this purpose and in fact, GPC is worse at protecting against tracking. GPC only opts out against selling data, DNT opts out against tracking for any purpose whatsoever.
Advertisers habitually ignore/use these headers for fingerprinting, but a German court has decided that the DNT header has full legal backing as a "I don't want to be tracked" indicator in a case against LinkedIn and that spamming users with consent popups if these headers are present is essentially pestering them to relinquish consent that isn't going to be given. The GPC Header has no such protections, but might be more amenable to the (worse) Californian privacy laws. Advertisers and other companies like to pretend that the DNT header has no legal backing, but it does. Cookie banners could entirely be handled on the browser side, but browsers and advertisers refuse to take this idea seriously because it'd lead to mass rejection of tracking. (Due to perverse incentives at this point; both Mozilla and Google own/are ad companies respectively. This is why Mozilla quietly killed the DNT header at the start of the year, in favor of the GPC header.)
1 reply →
On the contrary, GDPR actually says that it’s illegal to condition content or services on the acceptance of tracking, if anything is provided after accepting optional tracking, it must also be available if declining tracking. This is very easy for a layman to understand when reading GDPR.
What your bank is doing is clearly illegal.
With GDPR it matters how countries incorporate it in their law and that doesn't work in practice.
>>GDPR actually says that it’s illegal to condition content or services on the acceptance of tracking
Good intentions, doesn't work. You call a bank, they read a contract to you for 5 minutes you spot some sharing with partners (who knows who they are) there, you try to protest saying "ok but let's make sure it's not for advertisement" and the answer is "I can't do anything that's the contract you either accept or we can't open an account for you".
>>This is very easy for a layman to understand when reading GDPR.
What matters are laws of specific countries that implement it and what results are in practice. That's why I wrote about good intentions and real effects.
>>What your bank is doing is clearly illegal.
And there is nothing I can do about it.
3 replies →