Bookmarked Only 9% of visitors give GDPR consent to be tracked
Privacy regulations such as the GDPR say that you need to seek permission from your website visitors before tracking them. Most GDPR consent banner implementations are deliberately engineered to be difficult to use and are full of dark patterns that are illegal according to the law..... If you implement a proper GDPR consent banner, a vast majority of visitors will most probably decline to give you consent. 91% to be exact out of 19,000 visitors in my study.

GDPR and adtech tracking cannot be reconciled, a point the bookmark below shows once more: 91% will not provide consent when given a clear unambiguous choice. GDPR enforcement needs a boost. So that adtech may die.

Marko Saric points to various options available to adtech users: targeted ads for consenting visitors only, showing ads just based on the page visited (as he says, “Google made their first billions that way“), use GDPR compliant statistics tools, and switch to more ethical monetisation methods. A likely result of publishers trying to get consent without offering a clear way to not opt-in (it’s not about opting-out, GDPR requires informed and unforced consent through opt-in, no consent is the default and may not impact service), while most websurfers don’t want to share their data, will mean blanket solutions like ad and tracker blocking by browsers as default. As Saric says most advertisers are very aware that visitors don’t want to be tracked, they might just be waiting to be actively stopped by GDPR enforcement and the cash stops coming in (FB e.g. has some $6 billion reasons every single month to continue tracking you).

(ht Peter O’Shaughnessy)

I much like Laura Kalbag’s “I don’t track you” declaration on her blog. She links to that post in the footer of her webpages.

As Laura Kalbag says it’s “as much a fact as a mission statement“. I would definitely like to be able to say the same, because it’s important as a signal, as a statement that the web does not need to be what the silos as advert delivery and manipulation vehicles make it to be. But for this blog it isn’t fully a fact.

I do not track anything anyone does on my site. But others in some instances do. This is the case where I embed material from elsewhere. Although often what I embed is still my own content, such as photos and slides, they are served from the likes of YouTube (Google), Flickr, and Slideshare (LinkedIn). The primary reason for using such services is storage space. Presentations, videos and photo collections tend to be large files, filling up the allocated space in my hosting package quickly. And of course there are occasions where I do want to show content by others (photos and videos). Especially in the case of images, showing other people’s content here is very deliberate, based on an obligation to re-use.

This means that I am an enabler of the tracking that such services do when you visit my blog. To be certain, you have a personal responsibility here too: your browser is your castle, and that Castle Doctrine of browsers means that you should already actively block tracking in your browser. However, I also have a responsibility to not expose visitors to tracking where that can be avoided.

So how to avoid tracking? What alternatives are out there? Here’s a list with the services from which this site over the years has embedded material.

  • YouTube (Google): I did not know this until I looked for it today, prompted by Laura Kalbag’s blogpost, but Google provides a setting with embedded YT videos that disables tracking and serves the video from a different domain (youtube-nocookies.com). This is what I will do from now on, and I will go through my older postings to change the embed code in the same way.
  • Flickr: I use Flickr a lot, it’s both my off-site online photo backup, as well as an easy way to post images here, without taking up hosting space. My tracking detection tool (Ghostery) does not find any trackers of embedded images, provided I strip out some of the scripting that comes with an embed by default. This stripping of superfluous stuff I routinely do, and is in my muscle memory.
  • Slideshare: this I think needs replacing. A Slideshare embed always comes with a Google Analytics tracker and a 3rd party beacon it seems. There is no way I can strip any of that out. It’s a good idea to do without Slideshare anyway, so need to search for an alternative. I might go for my own cloud space, or start making my slides differently, e.g. in HTML5, or find some other tool that I can attach to a private cloud space, and allows easy sharing with others.
  • Scribd: this one definitely needs to go too. Embedding a Scribd document adds Google Analytics and a Facebook tracker, and curiously still a Google+ tracker too, though that service no longer exists. Again, need to search for an alternative. Same as with Slideshare.
  • Vimeo: this video embedding service does not add trackers as far as I can tell from my Ghostery tracking monitoring plugin.
  • 23Video: this platform has pivoted to corporate marketing videos and webinars, and no longer supports casual embeds like in the past. I will need to go through my archive though to clean up the postings where I used 23Video.
  • Qik. This was a live streaming video service I used around 2008. The domain is no longer active, and any embeds no longer work. Will need to clean up some old postings.

So, from this list, Slideshare and Scribd stand out as the ones adding tracking features to this site, and will need to go first. So I’ll focus there on finding replacements. Flickr and Vimeo are ok for now, and Youtube for as long as they respect their own privacy settings. Flickr and Vimeo of course don’t have your data as their business model, whereas YT does, and it shows. Once I’ve removed the tracking functionality from embedded content, what remains is that any call to an outside source results in your IP being logged in that outside server’s logs, and by extension your user agent etc. This is unavoidable as it comes with connecting to any web server. The only way I can avoid such logging is by ensuring I no longer use anything from any outside source, and hosting it myself. For my own content that is possible, as for images I re-use from e.g. Flickr (by serving the image itself from a server I own, and otherwise just linking to the source and creator. As I did with the image below), but hardest for re-using other people’s videos.

Tracks of footprints in the snow, image by Roland Tanglao, license CC BY

Just a month ago I wrote here about my reservations concerning the use of mobile phones as hotel room key. A hotel I will be staying at in the near future yesterday started sending me multiple (unasked) SMS’s to download their hotel app to ‘make my stay smarter’. Sure, I will trust download links in unrequested SMS! Today as I’ve ignored their messages I received an e-mail imploring me to do the same.

The app they ask me to use is called Aeroguest, and their pitch to me is about easier check-in/out, using chat to contact staff, and using my phone as door key. The first two I’d rather do in person, and the last one is not a good idea as explained in the above link.

Why such an app might be seen as attractive to the hotel, becomes clear if you look at the specifications of the app. A clear benefit is direct repeat bookings, saving the expensive middle men that booking sites are. In my case I almost always book through the hotel’s website directly. And if I enjoyed my stay I usually book the same hotel in a city for my next visit. I do use booking sites to find hotels. In this case I’ve stayed in this hotel several times before.

The stated benefits for the guest (key, chat, check-in/out, choosing your room) are a small part of the listed benefits for hotels in using the app, such as up-selling you packages before and during your stay. An ominous one, when seen from the guest’s perspective, is ‘third party services’ access presumably meaning potential access to your booking / stay history and maybe even payment / settlement information, requested preferences etc. Another, more alarming one, is “advanced indoor mapping” which I take means tracking of guests through the hotel which can yield information on time spent in hotel facilities, time spent in the room, how often / when the key was used, and by matching it with other guests, whom you might be meeting with that is also staying in the hotel. In Newspeak on the apps website in the data and analytics section this is described as “With transparency, you can proactively accommodate your guests’ needs.” Note that the guest is the one who is being made transparant. That is quite a price in exchange for being able to choose your specific room when checking in with the app.

I’ve replied to the hotel my reasons for not wishing to use the app (linking to my previous blogpost), and told them I look forward to checking in at reception in person when I arrive. When I arrive I am curious to hear more about their usage of the app. For now “making my stay smart” reads like the “smart cities” visions of old, it may be smart, but not for the individuals involved, merely for the service provider.

It sounds to me like Superhuman e-mail service is in permanent breach of the GDPR by collecting the reading behaviour and geolocation of every recipient of an email from one of their users. So that user can get a ‘message read’ signal, except it shows the user every time you opened a mail and your geolocation at that moment. Without the recipient’s knowledge, and thus without explicit consent, which is definitely needed for something like geotracking.

Also: switch off loading remote images in your e-mail client, so tracking pixels and other image based beacons won’t automatically load upon opening your mail.

I mentioned it here six months ago, that US National Public Radio (NPR) provides a GDPR based choice: get tracked or get text.

If you don’t agree to their tracking ….

[We] use cookies, similar tracking and storage technologies, and information about the device you use to access our sites to enhance your viewing, listening and user experience, personalize content, personalize messages from NPR’s sponsors, provide social media features, and analyze NPR’s traffic. This information is shared with social media services, sponsorship, analytics and other third-party service providers.

…then you have the option to see their content in plain text, which is hosted on a separate subdomain, text.npr.org.

I find I only access NPR now through plain text. The pages are made from straight forward HTML, no loading of any other files or snippets, and are therefore as fast as can be. A breath to read, no distraction etc.

NPR’s plain text news page

NPR plain text article

Only HTML, here NPR’s news page in full. No frills, so very fast

The only downside might be that without imagery, self-starting videos, distracting calls to action and ads, you might notice that a lot of news stories are without much informational content. You can’t blame NPR for that, because news itself as a format has worn a bit thin. GDPR and AdTech (not advertising) are at extreme odds. I like the look of AdTech being stripped away, even if it makes the early 1990’s web fashionably Retro.

I wish more sites would offer the ‘get tracked or get text’ option.