1. 49
    UI/UX tricks against GDPR (and users) design law practices privacy web medium.com

How to use UI/UX to fool users’ consent, an online example.


  2. 15

    I’m under the impression that opt-out is not allowed under GDPR, only opt-in. The question is, then, which this UI is. I’d argue it’s opt-out.

    1. 1

      The trick is that, had I clicked the button “Sounds Good, Thanks!”, I would have opt-in.

      1. 17

        IANAL, but I think this pretty clearly violates the GDPR. From the GDPR’s preamble:

        If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

        It is not clear, because it uses a dark pattern (using color choices) for the user to read: “We care about privacy -> Sounds Good, Thanks”. Also, I would call unticking 338 companies unnecessarily disruptive. Moreover:

        Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

        Again, I would call manually unticking 338 pretty detrimental.

        1. 5

          GDPR Recital 32 is particularly informative. I’ll reproduce paragraphs 1-3 here (reformatted for clarity):

          (1) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.

          (2) This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data.

          (3) Silence, pre-ticked boxes or inactivity should not therefore constitute consent.

          While reading (3) alone you might think that this system would be contrary to law, I think in the broader context it’s probably okay? Your attention is being drawn to the fact that you have to give consent to use of your personal data (the modal). You can either look for more information, or say okay. So I don’t see this as a pre-ticked box within the meaning of paragraph 3.

          However, it’s definitely shady (and common) practice. I think it’s borderline, and it would be fair for the regulator to raise concerns. I suspect that the “not unnecessarily disruptive to the use of the service” will actually count in InfoWorld’s favor here. The Correct Solution would be to offer a deselect all.

          1. -1

            Playing devil’s advocate here, but they don’t actually need to untick 338 checkboxes, they only need to click “deselect all” as the author did.

            1. 9

              Ehm… the author had to untick 338 checkboxes because there is no “deselect all”.

              It took a while, actually, but I hate to be manipulated.

              1. 3

                Sorry, somehow I misread that. I stand corrected.

          2. 4

            Yeah. I feel like that’s against the spirit of GDPR, if not the text. I guess the courts will decide. 🙂

            1. 2

              And if not GDPR violation, Shamar and others can sue them in class action for the damage to their hands from 338 checkboxes. Each violation will pay a fine equal to the sum of their users at risk of arthritis or carpal tunnel. That’s on top of any GDPR fines.

        2. 8

          This is getting more and more common since GDPR. A way to “bypass” these kind of tactics is to enable GDPR / cookie consent blocking with an ad blocker (at least this is possible with uBlock Origin). It automatically hides these annoying banners/popups without forcing you to opt-in.

          1. 3

            It’s even more fun when you consider how many of these websites then set the cookies that you’d actually have to opt in…

            1. 1

              How do you do this with uBlock Origin? I didn’t see a setting about GDPR or cookie/consent blocking.

              1. 12

                If you go in uBlock Origin preferences → Filter lists, under “Annoyances” there’s “Fanboy’s Cookiemonster List” which hides “we use cookies” banners (and apparently will also hide GDPR banners).

                1. 1

                  <3 THANKS!

            2. 3

              The author claims they’re a programmer, but they still clicked 338 checkboxes manually? Sounds fishy :)

              Here’s what I’ve done on Tumblr, which also has something similar.

              for (var x of jQuery("input[checked]")) {jQuery(x).removeAttr("checked");}

              1. 11

                The author is a programmer, a software architect, an hacker, and a curious person in general.

                I can conceive several ways to fool your smart jquery script. If you cannot think of them yourself, you shouldn’t code in Javascript, actually.

                But also I’m a UI and UX designer, at work.

                I was surprised to see a nice UI with such a stupid mistake.

                I hoped the developer on the other end was cool enough to surprise me.

                After the first ten clicks I realized she was not that smart.

                I hit F12. But then I thought “my users cannot hit F12: lets walk their path and see how I feel”.

                I’m not stupid. I simply care.

                1. 2

                  I can conceive several ways to fool your smart jquery script. If you cannot think of them yourself, you shouldn’t code in Javascript, actually.

                  • I don’t think he was claiming his solution was a fit for all
                  • So by your logic only people who know DOM JS should code in JS? ;)

                  I know this was a reply to a slightly provocative comment in defense of the author, but this in particular seems a little silly

                  1. 5

                    I’m the author. And actually I’m sorry for the tone of the reply: I’m tired, and I didn’t intended the @janiczek’s post as a joke for me, but as an attempt to justify InfoWorld by calling me fishy.

                    I’m fishy, definitely! :-)

                    But I also care about users. And I’m an European fish…

                    So by your logic only people who know DOM JS should code in JS? ;)

                    Nobody should code in JS. Really. Nobody should.

                    But yes, if you don’t know how DOM JS has been interpreted in the last 10 years, I think you shouldn’t code in JavaScript professionally. You might think I’m exaggerating to get a point, but trust me: everything is still there, under the hood. Ready to break.

                    1. 2

                      Thanks for the kind reply. I wasn’t trying to provoke myself, just point out something that seemed a bit off :) Professionally? Perhaps your right in a perfect world, but the fact remains there will always be code monkeys that build or maintain simple systems for a customer base that can’t pay for a seasoned developer. Regardless, I agree with the pain point of your article :)

                      1. 3

                        Mm, I kind of feel like as a profession we should try to have more respect for our own work. Software can cause significant harm, and we’ve all just collectively agreed that it’s okay to prop up companies that want to build broken things and not properly maintain them. Maybe companies that aren’t willing to spend the money to build safe software shouldn’t have the privilege of getting engineers to work for them.

                        I know that’s a tangent and not really what you were trying to address.

                        1. 3

                          I completely agree with your first statement, having respect for your own work is a great virtue.

                          The devil is in the details in regards to companies/individuals who provide shoddy services. Outside passionate and informed social circles, it’s customers vote with their pockets (counting data as a form of currency here), whether that be for trading for convenience or just a result of plain ignorance.

                          Unfortunately there aren’t any easy remedies to this problem. Shoddy companies/individuals will find ways to work their way around regulations, and customers will quite happily dig themselves into holes in pursuit of the cheapest or quickest solution. That doesn’t mean you don’t try, in fact I personally think one of the best tactics we can use for problems such as these, is informing the general public of the consequences (though that’s another problem in itself).

                          1. 2

                            Yes, I agree with all of that, and thank you for it.

                          2. 2

                            Maybe companies that aren’t willing to spend the money to build safe software shouldn’t have the privilege of getting engineers to work for them.

                            I see your point, but to me it’s like saying that companies that aren’t willing to spend the money to write proper English shouldn’t have the privilege of getting writers to work for them.

                            They can learn how to write by themselves.

                            I prefer a different approach: turn all people into hackers.

                            1. 1

                              Yeah, I see that point also. But, I mean, writers have historically been more willing to stand up to exploitative labor practices than hackers have… I think there’s a balance to be found, and getting to the right balance requires rethinking some things.

                              1. 3

                                We are just like scribes from Ancient Egypt.

                                Despite the groupthink, we are still at a very early stage of information technology.

                                Just like being a scribe back then, being hackers today does not mean understanding the power and responsiblity we have. But it’s just a matter of time.

                                We will forge the future.

                        2. 1

                          I’m sorry if my post came as provocative! (Maybe my definition of “fishy” – as English is not my native language – is slightly off compared to your definition)

                          Yeah, “I know I could do X instead of clicking, but common user can’t, so let’s walk in their shoes” is a fair motivation. Maybe I just expected the thought to be expressed in the post, given you’ve expressed you’re a programmer. But maybe that’s a silly expectation ¯_(ツ)_/¯ Thanks for the clarifications in the comments here.

                  2. 3

                    One of the good things with GDPR is that it puts a light on the issue. Before, unless you run Ghostery or something similar you wouldn’t even know how many trackers you were subjected to by visiting a site.

                    1. 1

                      Only I read it as UNIX tricks against GDPR (and users)? :)

                      1. 1

                        This seems to stand in the old field of abiding by the letter of the law without adhering to the spirit of the law - I’ve always wondered how they could get away with this, and what provisions could prevent bad practice like this, if any without significant burden.