As someone from the UX side of the fence, I can assure you that there are a lot of legitimate convenience and or fraud protection reasons for why a company might store PII server side for the user’s convenience. Targeted marketing isn’t the only reason to store identifying information.
towerful@programming.dev 1 year ago
Fraud prevention is a legitimate interest and does not need a consent request.
I’m pretty sure that is specifically called out in GDPR. Certainly ICO (UK) has loads of articles on it.
However legitimate interests are often difficult to demonstrate compliance, so it can be easier to rely on consent.
azertyfun@sh.itjust.works 1 year ago
Imagine if fraud prevention mechanisms were ineffective if you do not consent to targeted advertising.
Black Hat: Darts! These darks patterns got me again, I accidentally consented, now I won’t be able to bypass the captcha!
towerful@programming.dev 1 year ago
God, let’s hope nobody ever tries that. Higher prices because you don’t consent to more invasive tracking, because it poses a higher fraud risk to the company.
Thankfully, processing the same data for fraud prevention should be a different consent process/option than processing it for targeted advertising.
That’s kinda the point.
Any server you connect to knows your IP address. As does any equipment between your home network and the remote server. It has to, that’s how networks work.
Processing that to ensure your IP isn’t abusing their servers is legitimate interest.
Processing that along with your interactions with their website likely isn’t legitimate interest, so has to get consent (as this is likely profiling or user tracking, regardless of cookies used)
You could argue that it is legitimate interest, but then you have to back it up in your privacy policy as to why it is required, and it could be easily challenged as it’s such a broad and subjective term (whether that challenge goes anywhere is up to enforcing bodies, like the EU/ICO/whatever).
The idea is that the barrier of entry for “legitimate interest” is high enough and that abusing legitimate interest carries a risk, so that it isn’t the default.
Just because you have access to the data, doesn’t mean you can use it however you want.
azertyfun@sh.itjust.works 1 year ago
Some French websites have already started saying “Accept advertising trackers or subscribe to the paid plan”. Marmiton started it, some newspapers followed suit, and I don’t believe the French courts have reached a conclusion on legality yet, but clearly some legal experts at those companies are convinced it could work.