Macciej Cegłowski is the founder and sole employee of Pinboard, a social bookmarking tool that highlights its focus on user privacy. He testified (link via MR) before the U.S. Senate Committee on Banking, Housing, and Urban Development on May 7, 2019.
Cegłowski succinctly describes the impact and failures of GDPR in the European digital advertising market:
The leading ad networks in the European Union have chosen to respond to the GDPR by stitching together a sort of Frankenstein’s monster of consent, a mechanism whereby a user wishing to visit, say, a weather forecast page is first prompted to agree to share data with a consortium of 119 entities, including the aptly named “A Million Ads” network. The user can scroll through this list of intermediaries one by one, or give or withhold consent en bloc, but either way she must wait a further two minutes for the consent collection process to terminate before she is allowed to find out whether or not it is going to rain.
For example, anyone visiting the popular Tumblr blogging platform from a European IP address must first decide whether to share data with Tumblr’s 201 advertising partners, and read five separate privacy policies from Tumblr’s several web analytics providers.
Despite being a domain expert in the field, and spending an hour clicking into these policies, I am unable to communicate what it is that Tumblr is tracking, or what data of mine will be used for what purposes by their data partners (each of whom has its own voluminous terms of service). This opacity exists in part because the intermediaries have fought hard to keep their business practices and data sharing processes a secret, even in the teeth of strong European regulation.Statement of Maciej Cegłowski Before U.S. Senate, May 7, 2019
And he proposes “a legal mechanism for making credible and binding promises to users about privacy practices.” This is emphatically not through the standard terms of service, which Cegłowski notes usually includes a clause stating that they may change at any time.
Users don’t want to read privacy policies. The digital advertising world is grotesquely complex and there are many better ways to spend our time. The whole system needs a good legal human interface design.