Internet users throughout the European Union — and, in some cases, in the rest of the world as well — are starting to get gently pushed toward accepting various companies’ new service and privacy terms that comply with the EU’s General Data Protection Regulation, which is going into effect on 25 May. Trying to deal with it has convinced me that the tech industry is still determined to get privacy wrong, and the GDPR as applied by them doesn’t prevent it.

The GDPR-related reminders are coming from stores, electronics manufacturers, social networks, even non-profits. One needs to be intensely privacy-minded to go through the legal documents updated by Facebook, Twitter, Fitbit, Sonos, an e-commerce site you may have visited a few years ago or a local theatre company and not get confused about which disclosures you saw in which statement. Though most firms have made an attempt to write the new terms in plain language, as the GDPR requires, these are still lengthy documents crafted for legal compliance first and understanding second.

The standard approach is to hit the user with thousands of words explaining what data is collected and how it is used and, within the text, provide links to settings pages where one can opt in and out of the data harvesting and processing. Here’s how Fitbit handles it:

We give you account settings and tools to control our data use. For example, through your privacy settings, you can limit how your information is visible to other users of the services; using your notification settings, you can limit the notifications you receive from us; and under your application settings, you can revoke the access of third-party applications that you previously connected to your Fitbit account.

Now, which link will you click? Perhaps all four? Will you do it and then go back to the text (there’s still plenty of it), or will you get lost in the first set of preferences, curse and look for the “I agree” button? This is what I’d call obfuscation through confusion.

Facebook, by the way, has a big blue button for consent, but a mere hyperlink for deleting your account if you disagree with the new rules — even though deletion is the more momentous decision. We all know the trick that sends us looking frantically for the “X” we need to click to close an ad. The way Facebook has laid out its new policy pages is a subtler version of that intentional annoyance, a form of mild psychological pressure to sign on the dotted line and be done with it. Most people will: there’s no way to reject specific parts of the rules except indirectly, through tweaking certain settings, and then not in every case — even though very little data collection is actually required to provide the basic Facebook service. That’s unfair to users whose data is coming to Facebook from a multitude of hard-to-track sources, some of which they’d surely like to cut off.

Verbosity

Twitter’s updated privacy policy runs to more than 8 800 words, and it’s distinct from its terms of service and Twitter rules. I know some people — lawyers and reporters — capable of getting through all three documents with a magnifying glass, but most users aren’t like that. There’s no reason for the multiple documents and the verbosity except to induce boredom.

The GDPR rules aren’t complicated. They mainly require organisations that collect and process data to ask Internet users in clear language whether they’re okay with it. But what users get is, as ever, a lengthy legal text — no, three of them and wait, there’s also this linked page and that one, and a separate privacy policy for children, and another one for pets (okay, I made that last one up).

There is a right way to do it. Among all the organisations whose updated policies I’ve seen in recent days, the unlikeliest one came the closest to it — London’s recently renamed Kiln Theatre, which sent a policy change notification to my London-based editor. Its new privacy policy is, of course, another morass of legal verbiage — but it contains a handy table that lists the purposes for which data are collected and matches them with specific data types used.

That’s what I want to see from each of the data harvesters who want my personal information. A simple three-column table. First column: Purpose of data collection (for example: “To personalise ads” or “To enable academic research.”) Second column: Types of data collected or processed (for example, “Web browsing history” or “information about previous purchases provided by advertisers”). Third column: Consent (two checkboxes opposite every data type: “I agree” and “I object.”) In cases where the company considers consent obligatory for the service it provides — and only in those rare cases — checking the “object” box should result in a pop-up explaining why the company can’t live without this and providing a link to the local privacy watchdog’s complaint form.

First step

This would be true GDPR compliance — with the regulation’s spirit, not just its letter. But dealing with the consent part in an honest way would only be the first step. Companies then would have to live up to other requirements such as data portability (Facebook, for example, only allows you to download your contacts in text format, so you can’t really move your online friendships to another service).

I hope the EU objects to how its regulation is being applied, but somehow I doubt it: the lawyers who wrote the new policies know their job. It has little to do with earning trust and everything with minimising litigation. So, whether users feel cheated or not (I do), the new policies tell them that by continuing to use the services past 25 May, they consent to the rules as the lawyers rewrote them.

Big Microsoft price increases coming next year

Vodacom to take control of Safaricom in R36-billion deal

Black Friday goes digital in South Africa as online spending surges to record high

BYD takes direct aim at Toyota with launch of sub-R500 000 Sealion 5 PHEV

‘Get it now’: Takealot in new instant deliveries pilot

Amazon and Google launch multi-cloud service for faster connectivity

Google makes final court plea to stop US breakup

Bezos unveils monster rocket: New Glenn 9×4 set to dwarf Saturn V

Tech shares turbocharged by stellar Nvidia earnings

Config file blamed for Cloudflare meltdown that disrupted the web

So, will China really win the AI race?

Valve’s Linux console takes aim at Microsoft’s gaming empire

iOCO’s extraordinary comeback plan

Why smart glasses keep failing – it’s not the tech

BYD to blanket South Africa with megawatt-scale EV charging network

TCS+ | How Cloud On Demand helps partners thrive in the AWS ecosystem

TCS | Ralph Mupita on competition, AI and the future of mobile

TCS | Dominic Cull on fixing South Africa’s ICT policy bottlenecks

TCS | BMW CEO Peter van Binsbergen on the future of South Africa’s automotive industry

TCS | Why Altron is building an AI factory in Johannesburg

Your data, your hardware: the DIY AI revolution is coming

The energy revolution South Africa can’t afford to miss

It’s time for a new approach to government IT spend in South Africa

How South Africa’s broken Rica system fuels murder and mayhem

South Africa’s AI data centre boom risks overloading a fragile grid

How tech companies are getting privacy all wrong

Why smart glasses keep failing – it’s not the tech

EU kills ‘Fair Share’ plan favoured by South African operators

Yaccarino out: Musk’s handpicked CEO quits X suddenly

AI is not a technology problem – iqbusiness

Telcos are sitting on a data gold mine – but few know what do with it

Unlock smarter computing with your Surface Copilot+ PC