TrustArc is a company used by major brands that utilizes dark patterns to FAKE opt-out time for GDRP compliance. Major companies employ lies. It will hold your browser captive for 2 minutes in hopes that you cancel or accept all. If you don't, it shows "We are processing the requested change to your cookie preferences. This may take up to a few minutes to process.". Not even incompetence could make this an honest process.
The way GDPR works, I think the companies using TrustArc are more likely to be held liable than TrustArc itself. Unless TrustArc makes the unforced error of getting itself classified as a Data Controller.
> Unless TrustArc makes the unforced error of getting itself classified as a Data Controller.
Knowing how some scams and tax evasion schemes work I wouldn't be surprised if they could just set up a separate company that ends up with all the liability without any of the assets and just have that declare bankruptcy the moment the first fines hit. Rinse/Repeat as often as necessary.
I get this on docker.com without my script blocker.
Essential only -> Processing please wait (but you can cancel)
Customize -> Trying to trick me into allowing more, then processing as above
Accept -> Instant success
Took some screenshots since this is ridiculous (I may just not be used to the modern web since I aggressively block scripts): https://imgur.com/a/fJB0aHz
My favorite part is having to pull a bar up to decrease my consent-level.
Based in SV with ~370 employees on LinkedIn and over 17K followers. this above comment needs to be posted verbatim into one of their most recent posts with a mention that GDPR makes its EU customers liable and an additional link to the FTC for public comments. It would make them scramble I think.
LinkedIn is underrated as a platform to call out brands, it's where many spend a lot of their money on PR / image.
I don't understand why most companies even bother. If they aren't going to be compliant in how they handle getting permission, why even pretend?
I think one reason is that we have reached a tipping point where website owners now view these banners as a signal of a "legitimate" website, without bothering to look into actual compliance.
Without enforcement, these things shouldn't exist. They are just a nuisance to everyone
Well, given that some sites employ hundreds of trackers and other barely-above-malware stuff, it does make sense for these requests to take ages.
Unfortunately, many people simply click on the "accept all" button and don't care about their privacy that much.
The idea of GDPR was that consumers would be hesitant upon seeing the massive amount of third parties that use your data and demand change from the providers, turns out people don't care / providers rather let privacy-oriented customers suffer than to take a hit on their advertising profits.
> Well, given that some sites employ hundreds of trackers and other barely-above-malware stuff, it does make sense for these requests to take ages.
Last time I checked, there were no requests being made client-side in the 1-2 minutes it took to cancel. It was pretty much the same number of requests for both accepting and denying. Maybe they changed it since it's too blatant.
Also, since it should be opt-in, then accepting should obviously take longer.
If it's the TrustArc Ads Compliance Manager, it makes a call to all the ad networks requesting the network's opt out cookie. The opt out cookie prevents the user from being tracked by that ad network across all sites. Cookie banner opt outs usually only prevent tracking from the site you are one.
Unlike GDPR, which uses a website as the gate for all cookies, the ad industry also has self-regulatory programs. Participation in these programs require that a website allow a user to opt out of all ad networks present on their site. TrustArc built a module to do that: https://preferences-mgr.truste.com/.
If you run the tool there, it will make a call to the ad networks listed. Of course if you're running an ad blocker, the call will get blocked and it will look like the tool doesn't do anything.
The problem is you're being presented a mandatory popup for what appears to be used as GDPR compliance but realize that it isn't because real ones are instant. This is fake GDPR in the sense that it isn't (compliant); it's other things, as you note. If the purpose is to facilitate GDPR, that opt-out time shouldn't be conflated (the ad stuff shouldn't be bundled), given that GDPR appears to have a requisite "It shall be as easy to withdraw as to give consent.". Is that a correct interpretation? You're suddenly notified you can't operate for minutes (unless you opt-in), which is definitely dark, and unnecessary (unless you want to achieve the action they're doing, but you didn't; you just need GDPR). Sitting captive for minutes is not a modern day web experience anyone finds acceptable, that's why Google is so focused on empowering loading speed inspection/resolution. The experience made me wonder if they use users who don't opt out (I almost gave up just to get out of being locked out) as a selling point. There wasn't, that I could find, an instant GDPR-compliant way around this obstruction. Why would any company care for this experience? If they wanted to be polite and do extra action (this ad network regulations thing), they have the tech to do it asynchronously/unobtrusively, right?
