Closed privacy-advo closed 4 weeks ago
Thank you for taking the time to submit this issue.
We will certainly consider this feedback in regards to our review of OneTrust and other CMP domains on our list.
Most websites rely on the IAB's TCF which allows legitimate interest as legal basis and is opt-out only.
I found a CMP that has six checkboxes to reject the processing. These are independent of the consent checkboxes. If you are not able to interact with the checkboxes, you can't reject (opt-out) the processing. I think I don't have to point out the market penetration of IAB's TCF.
If you want to use Google advertising products, you must use a Google-certified CMP. And the later must be TCF-compliant. This means that everyone is using TCF CMPs. (https://support.google.com/admanager/answer/13554116?hl=en)
Illustrative example on https://www.mydealz.de
Object to data processing on the basis of legitimate interest
You are forgetting one thing... IF you DID not accept there spyware, then for at least EU, they are not allowed to do any spying..., so hiding they "Consent", will by law, prevent them from doing any tracking/data collection on you. Therefor I advice to just blacklist it all, and if they violates the law, report them to EU, they need the money to fancy dinners :smirk:
@spirillen I'm sorry. Reality will dissapoint you.
What is a consent management platform (CMP) all about? a) Presenting data processing purposes, legal basis and information required under, but not limited to, Article 13 of the General Data Protection Regulation and Art. 5 (3) of the Directive 2022/58/EC b) Obtaining, documenting and storing consent for data processing purpose xyz c) Documenting and storing legitimate interest for data processing purpose xyz d) Documenting and storing opt-outs for data processing purpose xyz based on legitimate interest e) Documenting and storing withdrawal of consent for data processing purpose xyz
Which laws are most relevant to the matter you discussed and and could help you? Article 6, 7 and 13 GDPR Article 5 (3) ePrivacy Directive
Oversimplification of the main differences that may be useful for understanding: For data processing based on consent users must actively opt-in (+ other requirements). Data processing may only take place after consent has been obtained. For data processing based on legitimate interest, users don't need to opt-in (+ other requirements). Data processing can begin immediately.
Typical undisputed website-related examples: Legitimate interest based purposes: fraud prevention, enforcing security measures, debugging Consent based purposes: newsletters, personalized advertisements based on browsing behavior
Debated but website-related examples in practice: Legitimate interest based purposes: delivery and selection of ads, analyse ad performance and user interaction, "statistical" analysis, using data for improving the product/website and anything for which a business is willing to take a high risk.
You really want to learn more about the market defining TCF policies: Appendix A: Definitions of Purposes, Features and categories of data will give you the details. See "Allowable Lawful Basis:" for the different purposes.
Bottom line: Not being able to interact with a CMP deprives you of the opportunity to object data processing based on legitimate interest. Wishful thinking and ranting won't get us very far, but new laws and court rulings will. Meanwhile, use adblockers.
@disconnectme Please take this issue seriously.
I'm sorry. Reality will dissapoint you.
(Please just fold this answer as OT)
Well, In my reality all these things are blocked in my firewalls. So not sure how they can get the data in the first place. Which means, none of your effort of writing you answer, do not really apply to me.
I'm the kind of person who believes it is webmaster who brakes there side, and making them exclusively accessible for "member" of the walled garden. I'm not a member of that anti privacy club, and only accessing public available sites, and yes I'm using several tools to protect my right to privacy, this is among others @mypdns (RPZ), Tor-bowser(like to github), adblockers, nftables... whitelisting, not really, I'm using remote hosts as clients, not proxy and then downloads from them.
All this, to protect my privacy from the BigTeck and their likes.
However, thanks for your time to make a legal reply, I personally appreciate things like this :+1:
Domain(s) to review. Separate them by comma.
onetrust.com
Rationale for removing, adding, or recategorizing.
Excercising GDPR rights
Where domain(s) observed. Separate them by comma.
privacyportal.onetrust.com, privacyportal-eu.onetrust.com, privacyportal-cdn.onetrust.com, captcha.onetrust.com
Additional notes
I'm using Firefox. I want to be more cautious and privacy aware. Thus, I started exercising my data subject rights with several companies. Onetrust is used as data protection tool by some of those. A popular example is Disney(+). I was not able to communicate with Disney's GDPR support if onetrust.com is blocked. Especially privacy-conscious people using Disconnect will have similiar ideas. The following domains came up: privacyportal.onetrust.com, privacyportal-eu.onetrust.com, privacyportal-cdn.onetrust.com, captcha.onetrust.com
Besides this, I am aware of:
344 Block OneTrust Privacy Annoyances
353 Consider reclassifying consent.cookiebot.com from Advertising to Content
340 Please add location trackers
Those are closed tickets. But I want to add: Blocking consent management platforms on websites can have a negative impact on user's privacy. You won't be able to opt-out of certain data processing. For some cookie-banners it might be irrelevant because everything is opt-in only. But for many it will be to our disadvantage. Most websites rely on the IAB's TCF which allows legitimate interest as legal basis and is opt-out only. If you can't access the CMP, you can't opt-out. I think this needs to be taken into account.