I’d just like to add one thing as an aside. One of the few visible changes that arose from GDPR was the proliferation of cookie / privacy banners, interstitials, pop-ups, overlays, etc.
Good idea in principle. Let people know when they visit your website that cookies are being used. But when you visit website after website after website, all with their own, sometimes very obtrusive, way of announcing they serve cookies, there is a tendency to just click “OK” without giving any further thought as to what it actually means. That’s human nature.
GDPR has been good at getting website owners to take privacy more seriously. Every website should have a privacy policy. But when we think of GDPR, it’s all too easy to think of annoying website popups instead of privacy protection. The true meaning of GDPR is in danger of being lost, buried under a mountain of cookie notices.
You make a very good point about the proliferation of banners, pop-ups, etc. But, most of the time, this issue arises because those responsible for creating these artifacts have a poor understanding of GDPR and are therefore doing it wrong.
For example, I see a lot of banners and pop-ups that require me to the click “OK” on a statement that the site is using cookies. But such banners and pop-ups don’t comply with GDPR at all. In order to comply, they would have at least to also say why they are using cookies.
Secondly, there’s a lot of misunderstanding about the need for a user’s consent. Some people seem to think that websites can’t collect any personal data without the user’s express consent. But that’s not true at all. So they end up asking for consent when it’s not required (e.g. when the information is being collected in order to fulfill a contract with the user, or when it is being collected for legitimate business interests, such as gathering statistical data).
Now it might be argued — and I see you and James have made this argument on Slack — that providing users with the ability to opt-out if they choose is something that (a) is the right thing to do and (b) users will appreciate. But on this thread you are making the case for why neither of those is true.
In my view, it typically provides a much better user experience if a site does not ask for explicit consent in circumstances where it does not need it. Then users don’t have to keep clicking on annoying things just to make them go away (when, as you say, they’ll probably just click “OK” in any event). What a site should do is precisely what GDPR requires it to do when consent is not required: simply explain what is being done and why.
The vast majority of users won’t even read such statements. Of the rest, most will appreciate being told. Only a few will really want to opt out, and then it’s up to them to decide what to do.
I agree entirely. But, in fairness to website owners, when GDPR was introduced, there was - and still is - a huge amount of misinformation, contradictory information and incomprehensible information. As a consequence, most website owners erred on the side of caution, which you can’t really blame them for.
I don’t think that last sentence is true.
I agree that James and I do seem to see eye to eye on this one. As I mentioned on Slack, putting all legal issues aside, as a user, I do like to know what personal data is being stored / processed / transmitted etc. And I do like the option of being able to opt out if I should so wish. But the discussion on Slack and my comment above are essentially about two separate issues which are in danger of being conflated.
My comment about websites and popups above is, I think, clear enough and needs no further clarification.
The discussion on Slack was about plugins that record usage statistics, either directly or indirectly via a 3rd party application. In this case, it is the website owner that is the subject, not the website visitor. Information about their own website is transmitted to and stored by the plugin developers, albeit in a secure, one-way encrypted format.
So in this case, there are no obstructive banners. It is just an option in the plugin settings, along with a note explaining why this data is needed. It’s a one-time setting that only affects the website owner, not visitors to the website.
As far as websites go, I agree with both of these comments, hence my immense dislike of cookie popups. The worst type are the interstitials that block access to the website until you’ve clicked “OK”. When I come across such a site, I leave immediately.
But websites should still make it abundantly clear what personal data they process and why. The link to the privacy policy should, for instance, not be buried deep in the footer.
I don’t think we disagree on much Tim. We may have a different opinion on whether to allow opt ins but as for everything else, I think we’re singing from the same hymn sheet.
Yes, I am aware of that. But the owner is still the user of the software. And so s/he also experiences all those banners and pop-ups when visiting other websites. So it’s still contributing to “OK overload”.
If a plugin developer tells me in the readme file what the plugin does, then I can find it out beforehand if I choose to look. If (whether additionally or instead) the developer has me click on something while I am trying to set up the plugin, then s/he has just irritated me by getting in the way just as much as if I were a visitor on someone else’s site. In that sense, what s/he has done is actually worse: I’m being subjected to this irritant on my own site.
There are zero banners or popups created as a result of installing the plugin. There would just be a single checkbox on the site on which the plugin is installed. And if it’s left at the default setting, it’s as if it doesn’t exist.
Ultimately, we’re doing this because we believe that users would prefer to have some control. I’d be happy to be proven wrong. Maybe we need to seek opinions from potential plugin users and/or the wider community.
Are you also saying it won’t be one of those things that demands attention right at the top of the page, and which then disappears when it’s clicked on so I can’t revisit it easily if I want to?
If you are, then I certainly have no quibble with doing it that way! I have never seen anyone do it like that, so you will be a pioneer!
To clarify, I agree with you on the user experience concern here, but this is not what I am advocating.
For Classic Commerce I think a setting or a config flag that allows users to opt out of usage data would be a good idea. I think it should not be an admin notice and should live on whatever screen is deemed appropriate inside the CC settings, along with an explanation of what is being done and why.
For ClassicPress we collect some information as part of our automatic update process. It is possible to disable this in the config file, and we can do a better job of explaining what we are doing and why, but due to the security-related aspects of automatic updates the behavior is not something that would be a good idea to change. For ClassicPress this has also been discussed previously.