> consent is simple to gain, who reads the entire ToS and privacy policy?
That's not how informed consent works, you can't just mention the collection of personal data in a privacy policy. Consent must be explicitly requested for this type of tracking, and you must be able to reject it, and continue using the service.
> the bottom line is, do you place more trust in your local lawmakers and the website you are visiting than you do in yourself
The request can be blocked with uBlock Origin, but it's still important to draw attention to tracking that may be illegal, since not everyone has a content blocker installed.
if you agree to terms which request consent, you are giving consent. how they are displayed to you and whether or not they are explicit enough or too hidden is subjective
you'll need a stronger arsenal than a content blocker to avoid modern fingerprinting, legal or otherwise
from my understanding of the rules even a lot of the informed consent popups today aren't compliant.
If I understand it correctly (and I think I am) the standard is that it should be equally easy to op out as to opt in, and the default should be opt out.
IMO this means I should just be able to dismiss any GDPR compliant box and the result should be no tracking.
Correct. Also, you cannot with hold access upon users not consenting, so there's literally zero incentive for users to ever consent for compliant providers. Which is kinda obvious with the GDPR's overall goal of making it impossible to use privacy as currency.
GDPR has lots of issues and this is one of the major ones.
It can be easily argued that companies cannot be forced to service users and there has been no real precedent or enforcement around this.
A company cannot be forced to service users. It can also decide to stop operating entirely, and die. A company can be forced to not use particular criteria to decide to service specific users, an idea with a long history - a common example is skin color.
This has nothing to do with immutable physical characteristics and such comparisons only highlight how silly the argument is.
Consent is a voluntary action. Usage itself is a form of consent. However a user disagreeing with what the company requires to provide that service but still being entitled to and actively using that service is not workable. User can decide to stop using a service entirely though, if they don't agree with the requirements.
You aren't forced to service users. You just cannot make consent the currency for your service. Either don't require consent or don't operate in the EU.
That's meaningless. Usage is already a form of consent. The discrepancy is between the user and the company in what is consented. Forcing the company to provide service to the user even if the user disagrees with an upfront description of what the company requires to provide that service is a completely valid objection.
Also GDPR applies to any organization providing to citizens of the EU, not companies operating there, but that's yet another example of poor design which results in GDPR having little enforcement.
it will appear legal if it is worded correctly, just the right side of ambiguity, proofread by a dozen lawyers and backed by a multi-million dollar body
also, to contradict your own tangential claim (from your non-authoritative link):
"You _should_ ask for consent where you are offering a genuine choice over a non-essential service. Typical examples include:
Did you seriously just link an IETF document as the basis for an argument about the law? Never mind the difference between "should" and "must", do you understand the difference between an RFC and the law?
And there is no room for ambiguity in the actual law:
> Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
> Did you seriously just link an IETF document as the basis for an argument about the law?
of course not, it was an example to demonstrate the difference and easier to include one link for both definitions than e.g. two for each from a dictionary
> Never mind the difference between "should" and "must"
given the context I believe the difference is of paramount importance
> do you understand the difference between an RFC and the law?
slightly reworded first question but yes, I do, thanks
that seems a good example for a better source which actually bolsters my point on bad sources, but alas, it's irrelevant. note that it refers to personal data and not (third time lucky) the original argument concerning tracking consent. in fact, I cannot even find any personal data in the OP's URL, probably because no personal data is required to create a GitHub account. let's just ignore that one for now
That's not how informed consent works, you can't just mention the collection of personal data in a privacy policy. Consent must be explicitly requested for this type of tracking, and you must be able to reject it, and continue using the service.
> the bottom line is, do you place more trust in your local lawmakers and the website you are visiting than you do in yourself
The request can be blocked with uBlock Origin, but it's still important to draw attention to tracking that may be illegal, since not everyone has a content blocker installed.