In late 2017 the Article 29 Working Party cautioned that “data subjects should be free to choose which purpose they accept, rather than having to consent to a bundle of processing purposes”. Consent requests for multiple purposes should “allow users to give specific consent for specific purposes”. Rather than conflate several purposes for processing, Europe’s regulators caution that “the solution to comply with the conditions for valid consent lies in granularity, i.e. the separation of these purposes and obtaining consent for each purpose”.
The sample wireframes they've come up with are hilariously onerous, and Europeans will have to opt in on every single site where data is collected. The result will be that almost nobody agrees to give their information universally across all sites, which is the current status quo (because right now, nobody's being asked for anything).
As David Carroll points out on Twitter, it's a fairer negotiation:
— David Carroll 🦅 (@profcarroll) January 9, 2018
I see two big wins from this:
1: Constraints breed innovation. In order to allow advertising and tracking companies to continue to survive, they will need to become more compliant very quickly. We're going to see a new breed of technologies that respect user privacy.
2: More importantly, we're going to see publishers and platforms move to different business models. I'm particularly excited about this. Targeted display advertising has been a catch-all business model for a long time, and the GDPR removes this lazy route to monetization. Everyone is going to need to think harder and more carefully about how they make money - and the result is likely to be something that aligns readers and publishers (or users and platforms). Display ads do the opposite, as the arms race between ad companies and ad blockers has shown.
Sure, there's an argument to be made that the EU shouldn't be interfering with the digital economy in the way that they are, but I think it's dead wrong. Government should be adjudicating and legislating around issues like privacy. I strongly suspect that similar legislation will make its way to the US and other countries - and either way, this is the internet, so the effects will be felt worldwide.