• 95 results
  • 1
  • 2
Avatar image for wemmick
#51 Posted by wemmick (47 posts) -

@admiralcurtiss: You may have noticed the language on the black banner - "By continuing to use our site or clicking Agree, you agree that..." etc etc. The lawyers feel, and it seems to be standard practice across most sites at the moment, that this is adequate permission, and that on the first pageview we can assume acceptance. They are constantly monitoring the legal regulations and the state of the industry, so this may very well changes, but that's their current stance.

Staff
Avatar image for wemmick
#52 Posted by wemmick (47 posts) -

@chris24680: I hear you, and for the moment I'll just say that some of the details of GDPR like this don't have a common understanding yet when it comes to how to comply in practice. I am passing all of this feedback to our lawyers, so please keep it coming, and as standards develop, we will try to keep up with those best practices.

Staff
Avatar image for bicycle_repairman
#53 Edited by Bicycle_Repairman (615 posts) -

@wemmick said:

@admiralcurtiss: You may have noticed the language on the black banner - "By continuing to use our site or clicking Agree, you agree that..." etc etc. The lawyers feel, and it seems to be standard practice across most sites at the moment, that this is adequate permission, and that on the first pageview we can assume acceptance. They are constantly monitoring the legal regulations and the state of the industry, so this may very well changes, but that's their current stance.

No ill will toward you or @rorie on this, but what you said above is 100% no longer valid under these new regulations( in other words: illegal) . A a big part of why these regulations where created is to counter-act the exact standard/situation you describe above. It is no longer accepted as the "gold standard" or valid. The new rule is: you(cbs/giantbomb ect) should have access to ZERO data, nothing at all, until I (EU citizen) have given you explicit permission (not we collect stuff if you even go to this website). And you can only store it until I give the notice all my personal date should be removed a.s.a.p.. And at any moment i should have acces to the kind of data you have on me. Also every different angle of data scraping should first be explained to me in simple and clear terms, and i should still be able to access and use your website/ service even if i decline all your data scraping and collecting requests.

This might sound like a harsh new reality, but from the consumer side this is excellent and a new form of digital identity and freedom. I hope this simple example helps you in any way possible.

If i got anything wrong, people who have more expertise in the field please correct me. I think i got most of it correct but i might be mistaken. but i think im 95% correct.

Online
Avatar image for nethlem
#54 Edited by Nethlem (739 posts) -

@bicycle_repairman: Spot on, GDPR was also put in place to delegitimize "implied consent", like it's been manufactured trough those cookie messages. Implied consent, just by visiting the site, is not enough anymore for most cases, users have to give explicit consent through opt-in.

Tho what I don't understand: If all the ad-tracking is not relevant for premium subscribers, why was so much of it "enabled" for me? Does the premium status override these settings or what's happening there?

And a big kudos for giving us a single "opt-out of all" button! Some websites have been real assholes about this, forcing you to manually uncheck hundreds of boxes.

Avatar image for test0r
#55 Posted by test0r (102 posts) -

I did the only reasonable thing and blocked the stupid "Manage settings" floating button with my ad-blocker. Why you wouldn't simply have it in the footer or something instead I will never understand.

Anyway, as has been mentioned by lots of much more informed and articulate people in this thread already, what you are currently doing is illegal under GDPR. It absolutely has to be opt-in, not opt-out, for personal information. That part is so obvious that I literally don't understand how lawyers (which I assume are who designed this entire thing) could get it wrong.

It's been hilarious and depressing at the same time seeing the mad scramble to become GDPR complaint.

Avatar image for rahulricky
#56 Posted by rahulricky (296 posts) -

I had white-listed GB but now that I can see the list of tracking being done despite being a premium member I've changed that. I don't blame the GB staff but *shudders* it's a bit much.

Avatar image for noelveiga
#57 Posted by NoelVeiga (1370 posts) -

@test0r: Yeah, there already is a permanent place to edit my settings in my profile blurb. It's weird that this is the thing to get hung up on, while, as others are mentioning, some of the "you have to go to a different site to opt out" stuff seems like it shouldn't fly.

Anyway, hopefully you'll figure it out soon. I have to say, I'm mostly very happy about the effects of GDPR. I've learned a lot about how my data was used and, at least in properly compliant sites, I've had an easy time opting out of the stuff that seems iffy.

Avatar image for nicolasvh
#58 Posted by nicolasvh (115 posts) -

@wemmick said:

@admiralcurtiss: You may have noticed the language on the black banner - "By continuing to use our site or clicking Agree, you agree that..." etc etc. The lawyers feel, and it seems to be standard practice across most sites at the moment, that this is adequate permission, and that on the first pageview we can assume acceptance. They are constantly monitoring the legal regulations and the state of the industry, so this may very well changes, but that's their current stance.

No ill will toward you or @rorie on this, but what you said above is 100% no longer valid under these new regulations( in other words: illegal) . A a big part of why these regulations where created is to counter-act the exact standard/situation you describe above. It is no longer accepted as the "gold standard" or valid. The new rule is: you(cbs/giantbomb ect) should have access to ZERO data, nothing at all, until I (EU citizen) have given you explicit permission (not we collect stuff if you even go to this website). And you can only store it until I give the notice all my personal date should be removed a.s.a.p.. And at any moment i should have acces to the kind of data you have on me. Also every different angle of data scraping should first be explained to me in simple and clear terms, and i should still be able to access and use your website/ service even if i decline all your data scraping and collecting requests.

This might sound like a harsh new reality, but from the consumer side this is excellent and a new form of digital identity and freedom. I hope this simple example helps you in any way possible.

If i got anything wrong, people who have more expertise in the field please correct me. I think i got most of it correct but i might be mistaken. but i think im 95% correct.

Indeed, you're absolutely right. The reasoning you give @wemmick is one of the core reasons why GDPR exists in the first place.

Also: it was a complete shock to me as to how many (30+!) sites my data is being shared with. And this is as GiantBomb Premium user. And don't tell me 'it doesn't apply to me'. I know it doesn't apply, but I also know it's still being collected & shared. Don't bullshit us please. :)

Avatar image for yani
#59 Edited by yani (428 posts) -

Having implemented GDPR cookie pop ups for a number of medium size European based fashion brands, the general consensus of legal teams I've worked with is that while GDPR explicitly requires consent for newsletter sign ups and sharing of identifiable personal data, the legislation does not explicitly address cookies containing non-identifiable information, such as what you've looked at (as these are attached to annonymised user IDs). Based on this the previous EU cookie legislation still applies (allowing implied consent) and all that has changed is that we are now required to detail what cookies we set, detail what they are used for and provide the option to opt out of cookies that are not essential to the functionality of the website (ie are you logged in, whats in your basket etc).

It is the specifics of the last point that appears to be contentious. What is the legal definition of essential cookies? If a website is reliant on advertising/marketing in order to generate revenue, such as Gamespot/Giantbomb, I can imagine you could argue they are essential as the website would not exist without them. Luckily I have not had to deal with this question due to the industry I tend to work in but I am sure an argument could be made, and it appears that the likes of Facebook, Google and CBSi believe they have a case on this front as they would not have taken the positions they have otherwise.

Avatar image for nicolasvh
#60 Posted by nicolasvh (115 posts) -
@yani said:

Having implemented GDPR cookie pop ups for a number of medium size European based fashion brands, the general consensus of legal teams I've worked with is that while GDPR explicitly requires consent for newsletter sign ups and sharing of identifiable personal data, it does not explicitly address cookies containing non-identifiable information, such as what you've looked at (as these are attached to annonymised user IDs). Based on this the previous EU cookie legislation still applies (allowing implied consent) and all that has changed is that we are now required to detail what cookies we set, detail what they are used for and provide the option to opt out of cookies that are not essential to the functionality of the website (ie are you logged in, whats in your basket etc).

It is the specifics of the last point that appears to be contentious. What is the legal definition of essential cookies? If a website is reliant on advertising/marketing in order to generate revenue, such as Gamespot/Giantbomb, I can imagine you could argue they are essential as the website would not exist without them. Luckily I have not had to deal with this question due to the industry I am in but I am sure an argument could be made, and it appears that the likes of Facebook and Google (and CBSi) believe they have a case on this front as they would not have taken the positions they have otherwise.

Or... you could think about this as a company, try to do the right thing & stand still how wrong it is that it has become the standard that all this data is shared with a huge list of ad networks/platforms. Also: ads isn't the sole revenue stream for Giant Bomb. Heck, there are enough quotes of Jeff stating that the ads business isn't what's driving GIant Bomb. I would call it non-essential then. Also: you can still run ads when you don't have my data.

Avatar image for abstractfloat
#61 Posted by AbstractFloat (14 posts) -

Any chance of extending GDPR protections and options to people outside the EU? GB/CBSi is not legally bound to do that, but man it would be welcoming to the rest of the international community.

Avatar image for yani
#62 Posted by yani (428 posts) -

@nicolasvh: Unfortunately most companies are looking to make money, not do the right thing. I've been lucky enough that the industry I work in is not reliant on cookies for advertising and so the systems that I've implemented allow customers to opt out of all cookies apart from "are you logged in", "whats in your basket" and "recently viewed products" (the last was contentious even though it is only used on site).

I personally feel CSBi's "opt-out through company" option is bullshit. My sites add a cookie that has your GDPR cookie preferences in it as part of the "essential" cookies . This keeps track of if you've set your cookie preferences and what they are. Wherever we have code that sets cookies we check whether you've opted out of that cookie type (statistics, social media or advertising) and skip the code if you've opted out. At no point should CBSi be requiring you to go to a third party to opt out, if you opt out of marketing for instance they should simply skip the code (ie wrap it in an if statement) that calls the 3rd party cookie. Nike.com and the BBC have similar systems to what we've implemented for reference.

All I'm trying to point out is that GDPR does not appear to explicitly define rules on cookies and there is therefore a certain amount of uncertainty as to what is and isn't allowed. This allows companies room for maneuver, which in my experience, involves companies taking the piss.

Avatar image for yani
#63 Posted by yani (428 posts) -

@abstractfloat: I've been lucky enough to be allowed to do this as my clients are EU based but don't expect it to be the norm for non-EU companies. Unfortunately companies have a legal duty to their shareholders to make money and giving customers the option to opt out of say, marking cookies, goes counter to this unless it is a legal requirement as it now is in the EU. Perfect example of this is Facebook who moved their African and Asian users from Irish to American legal oversight in order to avoid having to apply GDPR rules to them.

Avatar image for firrae
#64 Posted by Firrae (133 posts) -

@rorie and @wemmick I'm not a citizen of any EU nation, but as a developer and data security person, I ask if these settings are only available to users in the EU. I know most sites rolled them our to globally but I can't find settings for these options anywhere. I've personally fought hard to keep my data out of people's hands where I can and while I love GB I don't trust CBS and would love these settings to be available to me as well.

Am I just missing where we can access these settings or is it indeed CBS only offering these options to EU users and basically telling the rest of us that we're stuck with the status quo of our data being sold or used without our knowledge?

Avatar image for ottoman673
#65 Posted by ottoman673 (1226 posts) -

@firrae: I wonder, if you're that concerned about your data, why aren't you using something to the effect of noscript, ghostery, etc. already? You can stop the data trackers yourself

Avatar image for firrae
#66 Posted by Firrae (133 posts) -

@ottoman673 you say that as if I don't already. Just because I do doesn't mean I can't ask and hope for an internet where such extra tools aren't needed to simply provide real privacy.

Avatar image for loegi
#67 Posted by loegi (4 posts) -

Just saying, but I haven't seen this banner yet because I'm using ublock and umatrix on Firefox and Chrome. Also not on Internet Explorer 11, which I assumed would just work. This is definitely just a "me" problem, and not even an actual problem because that banner sounds annoying, but I'm not sure about the actual legality since I still haven't actually accepted any cookies or anything (though I'm blocking them anyway).

Internet Explorer not working is the weirdest thing to me, since that still seemed like the baseline that should always work. It works on Firefox and Chrome though, after disabling ublock and umatrix. Then again, I'm no developer or lawyer, so this information might be useless, just wanted to let you guys know.

Avatar image for cliffordbanes
#68 Edited by cliffordbanes (93 posts) -

I'm not seeing the banner and I'm using a Firefox private window with uBlock Origin and EFF Privacy Badger. Could anyone link to the page where you can opt-out of stuff?

Edit: managed to find it using a different browser. It's: https://l3.evidon.com/site/425/5420/22 for me.

Avatar image for nethlem
#69 Posted by Nethlem (739 posts) -

@yani said:

If a website is reliant on advertising/marketing in order to generate revenue, such as Gamespot/Giantbomb, I can imagine you could argue they are essential as the website would not exist without them. Luckily I have not had to deal with this question due to the industry I tend to work in but I am sure an argument could be made, and it appears that the likes of Facebook, Google and CBSi believe they have a case on this front as they would not have taken the positions they have otherwise.


IANAL but I'd be careful going with that interpretation in the context of Zuckerberg's meeting with EU MEP's.
One recurring theme during that meeting was Facebook's business model, and MEP's pointing out how it won't be valid anymore under GDPR, thus asking Zuckerberg for a "new business model that respects users privacy".

Now, Facebook is quite a different beast than CBSi as FB is far more involved in the ad-business, especially of the nasty kind (targeted, tracking you, and so on). But if the EU is willing to go confront a massive company like FB about it, then I have no doubt they'd also confront others.


@cliffordbanes said:

I'm not seeing the banner and I'm using a Firefox private window with uBlock Origin and EFF Privacy Badger. Could anyone link to the page where you can opt-out of stuff?

Edit: managed to find it using a different browser. It's: https://l3.evidon.com/site/425/5420/22 for me.


That link indeed looks the same as the "Manage Settings" menu, but when I open it all the settings there are in the default position, going through the "Manage Settings" menu takes me to my actual settings. So I guess the link you have there is either specific to a user (you?) or it's kinda like a default template?

Avatar image for jamesm
#70 Posted by JamesM (324 posts) -

I know this is a bit pedantic, and I may be misremembering, but I believe the requirement is that the company has to be able to give that information in response to a request in writing, so I don't really think it's an "at any moment" thing. Of course, if a big company expects many of these requests it makes sense to automate that process rather than have it handled by customer service, at which point it might as well be available on demand, but I don't believe that's a legal requirement (in part because it could be very difficult for smaller businesses to achieve in a safe manner).

If I recall correctly (which I very well might not, since it's been a while since I was reading up on this and my memory is terrible), the upper limit on a "reasonable" response time was a month. Not that I think that that's a desirable implementation.

Anyway, I'm glad to see the community applying scrutiny to CBS' implementation. It would be foolish to expect a big company to do the Right Thing, even if we do like and trust individuals who work for it.

Avatar image for soulcake
#71 Posted by soulcake (2217 posts) -

Like Yani told in this thread it's still legal to store cookies as long as it doesn't have any personal identifiers like a name or a IP address etc.

Avatar image for dinosaurs
#72 Posted by Dinosaurs (92 posts) -

This seems like it should have been simple and yet here we are.

Shouldn’t all of the unnecessary cookies be opt-in and not opt-out? Surely you guys can see it’s bullshit to expect someone to load 50 third party websites to opt out.

Can you clarify what the deal is with non-premium members and the ad cookies you deem necessary? As I see it you could just offer them untargeted ads and that it isn’t necessary at all but maybe I’m misunderstanding what’s actually happening.

Either way I’d like to throw my hat in the ring as someone who’s unhappy with how CBS is handling this for whatever it’s worth.

Avatar image for onemanarmyy
#73 Edited by Onemanarmyy (3720 posts) -

Well i guess i know what i'm going to do tomorrow. Go through all these 30-ish 3rd parties to opt out there. That doesn't seem how it should be. If CBS uses their features on this very site, i should be able to opt out on this site.

edit: first one is in russian (adriver.ru). I am not russian. Criteo's settings are not saved. I'll resume tomorrow.

Avatar image for soulcake
#74 Posted by soulcake (2217 posts) -

@onemanarmyy: That adriver.ru website looked skeezy as hell it's weird that company's are ok to just give away data to weird Russian websites, in order to get payed.

Avatar image for arjailer
#75 Edited by Arjailer (145 posts) -

Well, that was ... an experience ...

First, virtually none of the opt-outs worked with UBlock enabled - had to disable if for almost all of them to even begin to work.

  • The first one on my list (AddThis) worked okay.
  • Next MediaMath, after about 5 minutes of "working" reported "opt-out requests for 86 out of 91 participating companies were not completed". Turned off UBlock and only 14 failed this time! Woo! Next try 12 failed. Those 12 kept failing regardless of how many times I clicked "try again".
  • Adobe Marketing Cloud had all 5 participating companies failed to opt-out, even after repeated retries.
  • Exelate worked okay after disabling UBlock.
  • LiveRamp worked okay after disabling UBlock.
  • Bombora was another 33 of 137 opt-outs failed ... sigh ...
  • Google was 9 of whatever opt-outs failed ... deeper sigh ...
  • Lotame worked.
  • New Relic "does not provide a cookie opt-out. visit their privacy policy for more information" - with no link to their web site - WTF!
  • Yahoo Web Analytics was opted out already! Wooo!

None of the multi-company opt-outs fully completed, even after about 30 minutes of retrying ...

... and that's just one of the PCs I use ... two more, plus my phone to go :-(

Sorry CBSi lawyer-types, but this is a terrible experience and not at all what GDPR is about :-(

I'm not going to claim that I've read the GDPR and know it inside-out, but ever single article I've read about it makes it clear that you need to be able to prove explicit consent, i.e. opt-in, not this opt-out per-device nightmare :-(

Avatar image for arjailer
#76 Edited by Arjailer (145 posts) -

Crikey!

Turns out it could be worse though - it could be Metacritic, which (as another CBS company) has the same mechanism ... with a list of sites 35 screens long! At a guesstimate, that's in the region of 150+ sites! A quick scroll through suggest that the big Opt-Out button has worked on only 10%-ish of those. Leaving well over 100 sites to opt-out of manually ... one at a time ... eeek!

Is the strategy "frustrate them into submission"? :-D

Avatar image for wemmick
#77 Edited by wemmick (47 posts) -

@nethlem: Yes, Premium status overrides all cookies settings.

Staff
Avatar image for thepullquotes
#78 Posted by thepullquotes (269 posts) -

Has anyone seen how long TechRadar's list is? It's a behemoth.

Avatar image for wemmick
#79 Posted by wemmick (47 posts) -

@rahulricky: In case you missed it from other posts, most of this is irrelevant for Premium members. We do still have basic tracking, which you are free to observe using Ghostery or the plugin of your choice, but Premium members won't see any ad-oriented tracking.

Staff
Avatar image for wemmick
#80 Posted by wemmick (47 posts) -

@nicolasvh: I assure you, no ad-oriented targeting is happening for Premium users. If you see something firing in Ghostery that you think is ad-related, please let us know!

Staff
Avatar image for dante_the_jedi
#81 Edited by Dante_the_Jedi (363 posts) -

@wemmick

Telling people to use Ghostery a company that just leak very large number of email and has for a long time been known to doing some doggy tracking is not showing the best understanding of the topic at hand. Not trying to be a dick, but just bringing it up. AS GDPR is and privacy in general is something I take and I know a lot of people take very seriously.

Avatar image for wemmick
#82 Posted by wemmick (47 posts) -

@dante_the_jedi: Heh, indeed, Ghostery has their own issues these days - I was listing them as an example of software that tracks/blocks trackers, not endorsing them explicitly.

Staff
Avatar image for dante_the_jedi
#83 Posted by Dante_the_Jedi (363 posts) -

@wemmick: I would say to use something like Privacy Badger or uMatrix for block all of that stuff, but having to use a 3rd party plug in to do this would still mean you are not complying with GDPR.

Avatar image for onemanarmyy
#84 Edited by Onemanarmyy (3720 posts) -

Back to the list. Trying to opt out of google.inc takes me to http://optout.aboutads.info. Strange, but alright. It has 133 opt out options. Promising. After trying to opt out of all of them, only 4 out of 133 options actually opt out, and the other 129 are 'temporary unavailable.' perhaps i already blocked a bunch of them through my adblock use, eventhough i disabled it all for this? Trying this on Edge gave better results (16 remain)

No Caption Provided

Yahoo's ad interest manager page doesn't seem to load on any browser. Just a blank page. Adform doesn't seem to simply offer the option to opt out but lead me to another list on youronlinechoices.eu which lists another 115 opt out options. Again, only a few actually seem to work. Lists upon lists! bilintechnology.com just takes you to a blank page with 'back to privacy page' in the middle, not sure if it opted me out?

Well i've spent over an hour on this and got through the list. There's an addon out there named Protect my choices, which opts you out of a bunch of these networks & saves your opt-out settings on them. But bear in mind, there are still plenty of entities on this list that don't seem to be included with that. http://optout.aboutads.info , http://www.youronlinechoices.eu/ & http://optout.networkadvertising.org seem to be opt-out aggregrators that take care of a bunch of them at once. So if you don't want to spend an hour on this, i would advice at least giving those 3 a whirl.

Yahoo's adpages seems to be straight up busted for me. Their homepage & links do work however. Strange. Edit: Yahoo is listed at aboutads.info as succesfully opted out. Not sure if the opt out page at yahoo's ad interest manager is different. Haven't encountered a company on this list yet that has both an opt out button at one of those aggregators AND on their own domain apart from Yahoo.

Avatar image for wemmick
#85 Posted by wemmick (47 posts) -

@dante_the_jedi: Hi Dante - just to be clear, I wasn't proposing using one of these apps as a way for us to comply with GDPR, I was suggesting them as a way to see which calls the site is making in case folks are interested in seeing that kind of thing.

Staff
Avatar image for dante_the_jedi
#86 Posted by Dante_the_Jedi (363 posts) -

@wemmick: Ok, I may have got a little confused on that end. I am glad that this is an active topic and I am sure you are feeding it back up to the people that need to know.

Avatar image for crazycraven
#87 Posted by CrazyCraven (233 posts) -

Any chance of extending GDPR protections and options to people outside the EU? GB/CBSi is not legally bound to do that, but man it would be welcoming to the rest of the international community.

Well if you are an EU Citizen it doesn't matter where in the world you are GDPR is applicable.

Avatar image for abstractfloat
#88 Posted by AbstractFloat (14 posts) -

@crazycraven: Not an EU citizen but I find that the GDPR a good start on the privacy front, so worldwide voluntary compliance would be appreciated - I very confident that the whole staff, both the personalities and the technical staff, would agreed with that. But alas, they are bound to whatever the CBSi policy is. Doesn't mean we should not politely ask/pressure them on this subject.

Avatar image for biteyferret
#89 Posted by BiteyFerret (1 posts) -

@wemmick said:

@nicolasvh: I assure you, no ad-oriented targeting is happening for Premium users. If you see something firing in Ghostery that you think is ad-related, please let us know!

As I've seen the Premium point brought up before, I would just like to point out that the same personal data rights apply to non-Premium visitors also. Tracking random EU visitors without explicit consent is just as illegal as tracking those with accounts- arguably more so, as you _need_ fewer cookies to operate then.

Avatar image for parsnip
#90 Posted by Parsnip (1346 posts) -

The CBSi GDPR implementation has to be one of the worst I've seen both from usability standpoint and compliance standpoint.

Everyone had 2 years to prepare, but this just looks like it was thrown together at the very last minute.

Avatar image for forcen
#91 Posted by Forcen (2487 posts) -
No Caption Provided

Avatar image for splodge
#92 Posted by Splodge (2638 posts) -

No other website I visit has this stupid fucking button. It gets in the way on mobile all the time. I'm sick of accidentally hitting it.

No offense to the site engineers intended, but it's really irritating. Just needed to vent after my fiftieth time hitting it.

Avatar image for rahulricky
#93 Posted by rahulricky (296 posts) -

@wemmick: thanks, I did miss that and is good to know.