"Do Not Track" is a legally binding order, German Court tells LinkedIn

www.vzbv.de Gericht untersagt Datenschutzverstöße von LinkedIn

Landgericht Berlin gibt Klage des vzbv gegen die LinkedIn Ireland Unlimited Company weitgehend statt

"Do Not Track" is a legally binding order, German Court tells LinkedIn::Landgericht Berlin gibt Klage des vzbv gegen die LinkedIn Ireland Unlimited Company weitgehend statt

37 comments

GDPR was designed around the "Do not Track" browser flag, so that websites can get a semblance of consent using those annoying cookie prompts, with dark patterns like hiding the "Decline All cookies" inside the second page of the prompt, or using very small fonts and gray colors + very confusing language. and they have carried on with complete impunity for 5 years now.
- Luckily in Germany the law states that at least the "Decline all cookies" button has to be in the same place as the "Accept all cookies" one. So at least the local sites are kind of easy to navigate.
  
  Only problem at the moment are "Accept all cookies or buy a subscription" banners. But as far as I know the courts are inclined to side with the customers on this one as well.
  
  I mean, most companies still don’t abide by it tho. There’s lots of sites where you can accept all cookies or you have to jump through a few hoops to decline the non essential ones.
  
  Another ridiculous half measure that I need to actively engage with a website to avoid being harvested.
  
  They should have made websites not track be default. If I want to be tracked, then I can go and hunt down a link for the pleasure.
- Totally. If we’re going make real change with this we need hard enforcement that says “you must provide a default setting that can be set per browser” or something that avoids the entire need for sifting through their cookie menu to find out I left one turned on. But this is peak example of ineffective laws to govern the internet made by people who don’t have any experience in computer science. I’m sure we will continue to see “do not track is just a suggestion” messages continuously. Or the requirement for each individual website to specify what type of tracking in absurd detail.
- A while ago I ran into a site that had a toggle for your selection of being tracked or not, but there was no text indicating which side of the toggle meant yes/no and it stayed green no matter which way you toggled it. Can’t imagine it would hold up in court but I’m not the one with the money to deal with it.
- My personal favorite is the one that defaults to "off", but when you go to the detailed page it puts "legitimate interest" on every single goddamn option with no "disallow all" option.
Oh, I hope this goes to higher courts and cascades down to be an alternative to the stupid cookie banners.
- Also, what exactly are "essential cookies"? Why does the website get to decide if they are essential?
  
  Something like your login session would be an essential cookie.
  
  There are certain things you are allowed to use cookies for even without asking for permission (i.e. they wouldn't even need to tell you about them). These are effectively the kinds of things that are necessary for your website to work in the first place: For instance if you have a dark and a light mode and you want people to change this even without logging in, another example is language settings (this is why sites like e.g. duckduckgo can have a "settings" tab despite the fact you are not logged into anything).
  
  The rule-of-thumb is that everything that is directly related to the functionality of your website is fair even without asking (they are "essential").
  Of course the specifics are a little more tricky: For instance you could have a shop in which you can put things into your "shopping basket" without being logged in. This is fine since it's core functionality. However, if you use that same cookie to also inform your recommendation algorithm, you could get into trouble. Another aspect is 3rd party cookies: These, while not theoretically always requiring permissions, in practice do need expressed permission since you, as the website host, cannot guarantee what happens with these cookies (and 3rd party cookies are, in general, an easy way to track users, which isn't core functionality for most websites).
  
  To be fair, some websites do need certain cookies to function correctly. As a random example, if a user goes to their bank's website, they're more than likely not going to know what to enable/disable cookie wise so that the website is still functional for logging into their account. So I can understand lumping those actual essential cookies into one category in those instances. However, I agree that it's almost certainly being abused.
  
  Every request your browser makes to a website is like the first time that website has ever seen you. Each image, content request, etc. All from somebody completely new and unknown[1].
  
  The only way a website can identify you as a user is to ask your browser to store a unique ID (generated by the website) that you can then present with each request. This is a 'cookie'. It gives you a temporary identifier that can be used to recognize later requests as coming from the same person.
  
  Without a cookie you couldn't login to any sites. Even if you're not logging in, without a cookie the website couldn't remember what your language preferences were (important in Quebec or other government sites), or timezone, etc. It couldn't even remember that you wanted to reject all "non-essential" cookies and would prompt you on every page request. Every single request would be from an unknown person visiting the site for the first time.
  
  [1] Yes, I've simplified some with keep-alive etc.
  
  The cookie which stores the "Do Not Track" request is pretty essential don't you think? Cookies is just what we call a particular websites local device cache. You can store whatever you want in there but they are best used for user settings, what user configurable theme should the site use, maybe you have a login token in there. Essential cookies (cache) the site needs to function properly.
  
  Cache isn't scary, it's the tracking info and other related data they use to sell you ads.
  
  I don't mind "essential cookies". Otherwise I would just configure my browser to not accept them at all.
  
  But what really interests me is what "legitimate interests" are.
  
  But in the end it's not about the cookies, it's about the tracking. The technique is irrelevant.
  
  Turn off all cookies and find out.
  
  How about the cookie to store the setting that you don’t want non-essential cookies?
I went to one major website and look at their privacy policy page (can't recall which one now, wish I did), and they explicitly said something to the effect of "yeah we see your 'do-not-track' header, but since there's no law that defines what that means from a technical implementation perspective, we're just ignoring it".

I am not exaggerating either, they plainly said (1) we see your flag, and (2) we're going to ignore it.

And it's like motherfucker, you've got the technical chops to be able to detect the flag and acknowledge as much, but in the same breath are trying to tell my you don't know what to do about it?!

My ass they don't. Like Judge Judy used to say: Don't piss on my leg and tell me it's raining.
- Yeah, I've had similar experiences when requesting account deletions for services. Basically "we are under no legal mandate to delete your data, get bent", because I'm not lucky enough to be protected by GDPR or California law.
Dear Dystopian Cyberpunk Corporations,

Sincerely,

Everyone.

37 comments