152 Matching Annotations
  1. Nov 2023
  2. Oct 2023
    1. Meta reported to switch payments for tracking in EU, as a way around GDPR issues w tracking. Based on EUCJ verdict in which it was mentioned as an aside. NOYB says this has been previously allowed at media-sites. Imo it was backward then, because it retains the fiction that advertising is only possible with tracking, which is false.

  3. Jul 2023
  4. Apr 2023
    1. https://web.archive.org/web/20230411095546/https://www.reuters.com/technology/germany-principle-could-block-chat-gpt-if-needed-data-protection-chief-2023-04-03/

      On the temporary ban of ChatGPT in Italy on the basis of GDPR concerns.

      Italian DPA temporarily bans ChatGPT until adequate answers are received from OpenAI. Issues to address: 1. Absence of age check (older than 13) of ChatGPT users 2. Missing justification for the presence of personal data in trainingsdata of ChatGPT. 3. OpenAI has no EU based offices and as such there's no immediate counterparts for DPAs to interact with them. The temp ban is to ensure a conversation with OpenAI will be started.

      The trigger was a 9 hour cybersecurity breach where user's financial information and content of their prompts/generated texts leaked over into other accounts.

  5. Feb 2023
    1. If you are a publisher, you better toss aside those ‘secret’ service provider data protection addendum and get ready to embrace ‘public’ joint-controller agreements with Facebook and other providers of plugins.

      ... How many orgs are actually doing this though?

    2. The CJEU came to the conclusion that non-for-profit consumer associations can sue for potential violations of data protection laws on behalf of a data subject not only under the GDPR but also under the former Data Protection Directive 95/46/EC.

      Kinda wonder how many class actions will be brought. Can class actions go against SAs as well?

    1. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. 2Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence

      Where to bring a claim - Either the Member state where the Controller/Processor is base,d or the data subject's habitual location.

    1. Every data subject should have the right to lodge a complaint with a single supervisory authority, in particular in the Member State of his or her habitual residence, and the right to an effective judicial remedy in accordance with Article 47 of the Charter if the data subject considers that his or her rights under this Regulation are infringed or where the supervisory authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject.

      Ties in with Article 77 of teh GDPR

  6. Jan 2023
    1. Moreover, the decision is fundamentally pointless because it will have zero impact on consumer privacy. Neither Facebook nor Instagram sell user data—they simply use the information on their platform to show users targeted ads. The only change that this decision will cause is that Meta will have to rewrite its privacy policy to use one of the other legal bases provided in the GDPR to operate Facebook and Instagram, including to deliver targeted ads.

      Actually 'delivering targeted ads' based on protected data is inconsistent with the GDPR entirely.

  7. Dec 2022
  8. Oct 2022
    1. exige qu'une AIPD soit réalisée à chaque fois que la situation le nécessite et quel que soit le niveau de risque
    2. Étant le seul régime à exiger le consentement par défaut avec des exceptions limitées, la loi 25 est de loin la plus stricte.
    3. Toutefois, à bien des égards, la loi 25 est le plus rigoureux des trois régimes.
  9. Sep 2022
    1. The Google ban was partly imposed because the data protection regulator discovered Helsingør never carried out a full risk assessment for Google’s school products before using them, as required under Europe’s GDPR privacy law, according to Allan Frank,

      School district did not conduct a risk assessment

      School districts did not have the resources to conduct the assessment. There was a go-with-the-flow attitude, but since we’re concerned about the extent that personal data was being shared with an American company. Done of those we’re concerned about the US government’s ability to access that data.

    1. proposed restrictions concerning international access and transfer must be removed. Although they are aimed at non-personal data, these rules address laws (such as the US CLOUD Act and e-evidence) that will tend to involve personal data and are already covered by the GDPR.

      Only the personal data are covered by GDPR (and badly adhered to if at all wrt EU-US data transfers), you can't argue that because something contains personal data that is subject to compliance the rest will 'automatically' follow suit. There are other demands being made of non-personal data in the DA than the GDPR makes of personal data, because they are different types of data. The logic here strikes me as malintentioned.

    2. bring further uncertainty to companies’ international operations, which have already been severely tested by the CJEU’s Schrems II

      Again, that was the point. The point is not unfettered data exchange. and there's no real uncertainty: there's no legal basis currently for EU personal data transfers to the US imo.

  10. Aug 2022
    1. credible exit.

      credible exit is used to describe that data export / leaving an app provides you with smooth enough ways to do so. Usable exports, that can be updated as you keep using an app e.g. Author talks about Lindy-formats, useful term , vgl [[The Lindy Effect 20201228194100]] en [[Lindy effect buiten tijdsdimensie 20201229115037]]

  11. Jul 2022
  12. Dec 2021
    1. the original purpose for which we obtained your personal data has expired;

      Isn't this GDPR which is in direct conflict with the statement under Disclosing information

    2. stored at, a destination outside the European Economic Area ("EEA").

      Why? is that allowed? I don't think that I would be happy about that as I am not reassured that 'taking reasonable steps' is actually appropriate considering one of those would be to host within regions specified by GDPR

    3. third party, in which case personal data held by it about its customers will be one of the transferred assets.

      I was going to respond to the survey until I saw this. I am offering to provide feedback for free and yet my personal information is collected and becomes part of the sale of the business in the form of an asset. The question is why is my personal information being held for any length of time after I have completed the survey? Isn't that a violation of GDPR?

  13. Sep 2021
    1. A controller is the entity that determines the purposes and means of the processing of personal data. Some examples of a controller are listed below.DigitalOcean is a controller for our customer’s personal data (e.g. personal information provided to DigitalOcean when signing up for our services)A DigitalOcean customer may be a controller if they collect and process personal data on their customers (e.g. personal data provided to you by your customers)A processor is the entity that processes personal data on behalf of another entity. An example of a processor is listed below.DigitalOcean is a processor for our customer’s end-user personal data (e.g. A DigitalOcean customer stores their customer’s personal data on a DigitalOcean service)
  14. Aug 2021
    1. reated 2020-04-04 22:46:35 GMT Account Verification Your account is verified! This means you can share your posts to the gallery. Mature content

      nol our last noel ...

      and the christmas carrolls of remmebering YKY wand Y "sauvignon blanc" ... how the mirror of sawtelle and the four part of ... "ramparted uruk"

      I'm currently reading "Gilgamesh" a translation and note specifically the cedar trees correlate to the Bahir--a book which like "vitsivavnu" did not exist.


  15. Mar 2021
  16. Jul 2020
    1. Under the GDPR, users have the right to object to certain processing activities in relation to their personal data carried out by the Controller. In a nutshell, the user can object to the processing of their data whenever the processing is based on the controller’s legitimate interest, or the performance of a task in the public interest/exercise of official authority, or for purposes of scientific/historical research and statistics. The user has to state a motivation for their objection, unless the processing is carried out for direct marketing purposes, in which case no motivation is needed to exercise this right.
    1. For example, as the GDPR requires that a controller must be able to demonstrate that valid consentwas obtained, all presumed consents of which no references are kept willautomatically be below theconsent standard of the GDPR and will need to be renewed. Likewise as the GDPR requires a“statement or a clear affirmative action”, all presumed consents that were based on a more impliedform of action by the data subject (e.g.a pre-ticked opt-in box) will also not be apt to the GDPRstandard of consent.
  17. May 2020
    1. Many also question how the average user with little knowledge of the GDPR will react to being asked so many questions regarding consent. Will they be confused? Probably at first. It will be up to each business to create a consent form that is easy to understand, while being at the same time comprehensive and informative
    1. Explicit Form (where the purpose of the sign-up mechanism is unequivocal). So for example, in a scenario where your site has a pop-up window that invites users to sign up to your newsletter using a clear phrase such as: “Subscribe to our newsletter for access to discount vouchers and product updates!“, the affirmative action that the user performs by typing in their email address would be considered valid consent.
    1. This scope effectively covers almost all companies and, therefore, means that the GDPR can apply to you whether your organization is based in the EU or not.
    2. An entity not established in the EU offers goods or services (even if the offer is for free) to people in the EU. The entity can be government agencies, private/public companies, individuals and non-profits;
    3. Determining your law of reference Generally, the laws of a particular region apply if: You base your operations there; or You use processing services or servers based in the region; or Your service targets users from that region This effectively means that regional regulations may apply to you and/or your business whether you’re located in the region or not. For that reason, it’s always advisable that you approach your data processing activities with the strictest applicable regulations in mind.
    1. This scope effectively covers almost all companies and, therefore, means that the GDPR can apply to you whether your organization is based in the EU or not. As a matter of fact, this PwC survey showed that the GDPR is a top data protection priority for up to 92 percent of U.S. companies surveyed.
  18. Apr 2020
    1. “In the end, GDPR is all about consent and it’s an approach to privacy that is very European,” said Kagan. “That’s not a mistake. It’s a values statement.”
    2. Kagan said, “a lot of things that are said about what GDPR is doing are myths. There are tons of misconceptions.”As a result, regulators have had to spend a great deal of time undoing myths, explaining the law’s broad language and providing guidance
    3. I still feel like unless there is a very significant increase in staffing, they are probably going to have to pick and choose the enforcement actions that they bring,
    4. The data protection authorities have other tools as well, which might be even costlier than fines, Kagan said.In some cases, EU regulators can tell companies, “You have 90 days to rectify the thing you are doing wrong with the data, or after 90 days you cannot use the data.” Sometimes, even the big fines won’t make or break them, but the data will if it is a core component of their business.
    5. Europe’s sweeping privacy rule was supposed to change the internet, but so far it’s mostly created frustration for users, companies, and regulators
    1. the French CNIL has reminded that consent has to be given at the time of data collection, has to be specific, and cannot be passed to another controller through a contractual relationship; it could not be bundled.
  19. Mar 2020
    1. Despite some of the concerns outlined above and the more dramatic claims about the impact of GDPR on businesses, it will only be bad for those companies that buy and trade in user data, or those companies that consistently fail to protect personal data.
    2. The GDPR is a sea change and requires companies to go much further than they have in the past under the old framework. Principles like data minimization, what constitutes valid consent, and when a business can claim a legitimate interest in someone's personal data provide serious challenges to U.S. businesses.
    3. That outcome, in fact, is why the General Data Protection Regulation has been introduced. GDPR is being billed by the EU as the biggest shake-up of data privacy regulations since the birth of the web, saying it sets new standards in the wake of the recent Facebook data harvesting scandal.
    4. “Europeans' privacy will be better protected and companies benefit from a single set of rules across the EU.”
    5. In Europe, access to the Los Angeles Times was blocked and those who tried to access it were offered a screen with a notice which simply read: "Unfortunately, our website is currently unavailable in most European countries.
    1. The Cookie Law does not require that records of consent be kept but instead indicates that you should be able to prove that consent occurred (even if that consent has been withdrawn). The simple way to do this would be to use a cookie management solution that employs a prior blocking mechanism as under such circumstances, cookie installing scripts will only be run after consent is attained. In this way, the very fact that scripts were run may be used as sufficient proof of consent.
    2. When you think about data law and privacy legislations, cookies easily come to mind as they’re directly related to both. This often leads to the common misconception that the Cookie Law (ePrivacy directive) has been repealed by the General Data Protection Regulation (GDPR), which in fact, it has not. Instead, you can instead think of the ePrivacy Directive and GDPR as working together and complementing each other, where, in the case of cookies, the ePrivacy generally takes precedence.
    3. To further illustrate this point, imagine that the ability to run cookies is a room, the cookie management solution is the door and the consent is the act of rotating the door handle; you can only enter through the door into the room if the door handle is rotated (the act of giving consent). In this example, if you’ve entered the room it can only be because the door handle was rotated and, therefore, your presence in the room is sufficient proof of this fact.
    1. Users have the right to access their personal data and information about how their personal data is being processed. If the user requests it, data controllers must provide an overview of the categories of data being processed, a copy of the actual data and details about the processing. The details should include the purpose, how the data was acquired and with whom it was shared.
    2. Another EU law worth mentioning here is the ePrivacy Directive (also known as the Cookie Law). This law still applies as it has not been repealed by the GDPR. In future, the ePrivacy Directive will be replaced by the ePrivacy Regulation and as such, will work alongside the GDPR; the upcoming regulation is expected to still uphold the same values as the directive.
    1. It's so frustrating how grey this all is at the moment - I'd imagine most sites still wont be compliant come May 25th.
    2. Had a read through a few of the linked articles above... Wow. Messy, headache inducing stuff, and still so much vagueness.
    1. If a website/app collects personal data, the Data Owner must inform users of this fact by way of a privacy policy. All that is required to trigger this obligation is the presence of a simple contact form, Google Analytics, a cookie or even a social widget; if you’re processing any kind of personal data, you definitely need one.
    1. A single consent form is useful when consent is requested for a single purpose. Here: analytics

      This seems like an important distinction:  Probably (?) you can only use a simple Agree/Disagree consent request if you only have a single purpose/category that you are obtaining consent for.

      As soon as your site has multiple categories to need consent, then you must allow individual consent/refusal of consent for each individual category/purpose.

      This is alluded to just a little bit further on:

      Consent should also be granular; users must be allowed to selectively decide what types of tracking, analytics and other activities their data can be used for.

    2. Asking for consent when processing users’ personal data is one of the most important duties imposed on website owners by the GDPR.
    3. Regardless of where an organization is based (in the EU or otherwise), its website must meet regulatory obligations when processing EU/EEA citizens’ data or the business will face financial penalties.
    4. the introduction of the EU’s General Data-Protection Regulation (GDPR) has significantly impacted the way websites and business collect, store and use both types of cookies. For one, the GDPR includes cookies in its definition of personal data, which refers to any piece of data or information that can identify a visitor.
    1. Are cookies governed by the GDPR? Cookie usage and it’s related consent acquisition are not governed by the GDPR, they are instead governed by the ePrivacy Directive (Cookie Law) which in future will be repealed by the up-coming ePrivacy Regulation.
    2. If your website installs any non-technical cookies, e.g. via script like Google Analytics or via a Facebook share button
    3. If your website can be visited by European users
    1. illustrates the extent to which illegal practices prevail, with vendors of CMPs turning a blind eye to — or worse, incentivising — clearly illegal configurations of their systems
    2. small portion of sites (~7%) entirely ignore responses to cookie pop-ups and track users regardless of response.
    3. “meet the minimal requirements that we set based on European law” — which they define as being “if it has no optional boxes pre-ticked, if rejection is as easy as acceptance, and if consent is explicit.”
    4. All of which means — per EU law — it should be equally easy for website visitors to choose not to be tracked as to agree to their personal data being processed.
    5. majority of the current implementations of cookie notices offer no meaningful choice to Europe’s Internet users — even though EU law requires one
    6. “Popular CMP implementation wizards still allow their clients to choose implied consent, even when they have already indicated the CMP should check whether the visitor’s IP is within the geographical scope of the EU, which should be mutually exclusive,” they note, arguing that: “This raises significant questions over adherence with the concept of data protection by design in the GDPR.”
    1. If your agreement with Google incorporates this policy, or you otherwise use a Google product that incorporates this policy, you must ensure that certain disclosures are given to, and consents obtained from, end users in the European Economic Area along with the UK. If you fail to comply with this policy, we may limit or suspend your use of the Google product and/or terminate your agreement.
    1. GDPR introduces a list of data subjects’ rights that should be obeyed by both data processors and data collectors. The list includes: Right of access by the data subject (Section 2, Article 15). Right to rectification (Section 3, Art 16). Right to object to processing (Section 4, Art 21). Right to erasure, also known as ‘right to be forgotten’ (Section 3, Art 17). Right to restrict processing (Section 3, Art 18). Right to data portability (Section 3, Art 20).
    1. In order to obtain freely given consent, it must be given on a voluntary basis. The element “free” implies a real choice by the data subject. Any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid.
    1. Legitimate Interest may be used for marketing purposes as long as it has a minimal impact on a data subject’s privacy and it is likely the data subject will not object to the processing or be surprised by it.
    1. You still have to use a Cookie Notice, if you’re planning to collect data that can identify an individual within the EU, or
    1. Google Analytics created an option to remove the last octet (the last group of 3 numbers) from your visitor’s IP-address. This is called ‘IP Anonymization‘. Although this isn’t complete anonymization, the GDPR demands you use this option if you want to use Analytics without prior consent from your visitors. Some countris (e.g. Germany) demand this setting to be enabled at all times.
    1. However, we recognise there are some differing opinions as well as practical considerations around the use of partial cookie walls and we will be seeking further submissions and opinions on this point from interested parties.
    2. Start working towards compliance now - undertake a cookie audit, document your decisions, and you will have nothing to fear.
    3. While we recognise that analytics can provide you with useful information, they are not part of the functionality that the user requests when they use your online service – for example, if you didn’t have analytics running, the user could still be able to access your service. This is why analytics cookies aren’t strictly necessary and so require consent.
    4. PECR always requires consent for non-essential cookies, such as those used for the purposes of marketing and advertising. Legitimate interests cannot be relied upon for these cookies.
    1. “The GDPR is very good as a piece of paper; it’s almost perfect. But it hasn’t been enforced,” he said.
    2. There’s not even a consensus on whether or not cookie alerts are compliant with European law. In May, the Dutch data protection agency said these disclosures do not actually comply with GDPR because they’re basically a price of entry to a website.
    3. Most companies are throwing cookie alerts at you because they figure it’s better to be safe than sorry When the GDPR came into effect, companies all over the globe — not just in Europe — scrambled to comply and started to enact privacy changes for all of their users everywhere. That included the cookie pop-ups. “Everybody just decided to be better safe than sorry and throw up a banner — with everybody acknowledging it doesn’t accomplish a whole lot,” said Joseph Jerome, former policy counsel for the Privacy & Data Project at the Center for Democracy & Technology, a privacy-focused nonprofit.
    1. Consent is one of six lawful grounds for processing data. It may be arguable that anti-spam measures such as reCaptcha can fall under "legitimate interests" (ie you don't need to ask for consent)
    1. If you’re not a legal professional, getting your website or app to be compliant with international privacy laws can be tedious and difficult.
    1. Very few solutions include all of the GDPR required features like: 1) Enabled prior consent. 2) Clear and specific information about data types and purpose of the cookies. 3) Full documentation of all given consents. 4) The possibility for users to reject superfluous cookies and still use the website. 5) The possibility that users can withdraw their consent whenever they want. Cookie solutions that don’t have those features are not GDPR compliant.
    2. It is required by the GDPR as you must document cookies and online tracking at anytime and you must be able to show that documentation to both your users and the EU.
    1. For instance, a strict interpretation of the law would require publishers to get opt-in consent by individual vendor, rather than an 'Accept All' pop-up prompt. The approach that publishers and ad tech vendor are taking is that a mass opt-in button - with an option to dive deeper and toggle consent by vendor - follows the "spirit of the law". This stance is increasingly coming under fire, though, especially as seen by a new study by researchers at UCL, MIT, and Aarhus University.
    2. Another value-add of CMP tech is that it can sniff the user's location and show the prompt just to EU residents. This helps to comply with the law while not intruding on non-EU user experiences.
    3. haven’t consent tools been around for a while? Sort of! Ever since May 2011, when the EU Cookie Directive went into effect, most EU sites have added cookie notification bars to the top or bottom of their pages. This prompted many third-party solutions to pop-up, including WordPress plug-ins and the leading tool from Silktide. These tools are still around, and many sites continue to use them under the GDPR. However, these solutions were built for the older law, and the GDPR is much more specific about requiring explicit opt-in consent. Most of those older tools don't provide this, nor do they integrate with downstream ad partners, paving the way for the more sophisticated CMPs.
    1. Note that the scope of personal data is truly broad, which makes processing complex and tricky. So, even though, for instance, you employ anonymization in Google Analytics to get rid of all information that falls under this category, you’re still in a catch-22 situation. This is because GA stores a visitor online identifier in a cookie, and under the GDPR that file constitutes a piece of personal data. That means you still need to obtain consent from visitors to process their data.
    1. we make it easy to implement using our Consent by Geolocation feature that auto-identifies the location of the website visitor and applies the correct consent notice and behavior based on the visitor’s current location. For example, simply add PreferenceChoice Cookie Consent and Website Scanning to your website, and the functionality of your consent notice will automatically update to display a CCPA-compliant consent notice to a visitor in Los Angeles, and a consent notice in compliance with ePrivacy and GDPR to a visitor in London.
    1. Do I need a CMP? Short answer: Probably yes. Long answer: If your company is based in the EEA (European Economic Area) or if you are dealing with customers/visitors from this area and show them advertising, it is very likely that you will collect and/or process personal data such as IP-addresses. Therefore, according to GDPR, you need to make sure that the visitor is informed and you need to ask the user for consent. In order to do this you will need a CMP.
    1. To be fully compliant with GDPR, you would also need to enable Show Reject All Button setting.
    2. Consent Model. In the case of GDPR, you must choose the Opt-in. This means that you cannot start tracking people before the consent was given.
    3. if you are using some tools/scripts on your website that are used to identify individuals and their data is processed by you or 3rd parties), that can be done only when a person gives consent
    1. Further, as Logic Hop integrates with third party tools you’re already using such as Drip, ConvertKit, Facebook ads, UTM codes, and more, you may not need to store the data Logic Hop generates to use the plugin how you want. You may even be able to generate all the personalizations you need in real time, with nothing stored!

      I don't like how GDPR encourages more and more to be done on-the-fly on the client-side so that you don't have to send it to the server and accidentally have it saved somewhere.


      Geolocation, using IP address (geolocation is never stored).

    2. If data storage is off, the data listed above is temporarily available for the current session, but nothing is stored. When the visitor leaves your website, no data is stored.

      What does "When the visitor leaves your website" mean exactly? What if they never leave the site and just leave the tab open indefinitely? Isn't the data stored somewhere in the meantime?

    1. You need to provide the ability for users to look at cookies individually, so they need to be listed (and that can be quite a lot of work in major systems). You’re allowed to define some cookies as “necessary for the correct functioning of this product”, usually cookies that store session related data. After all, if a user opts out of those, they can’t meaningfully use the web site, or that part of the site.But you have to be honest about it. You can’t, for example, define marketing or analytic cookies as necessary, and you have to allow users to opt out from them. Those don’t stop the site from functioning, it just reduces the data you can collect about site use.
    1. Why would a company want to have one system for people in France, Germany, and Italy and a separate one for people everywhere else?
    2. “It’s strange to say, ‘Yeah, we’re going to respect the privacy of Europeans more than all other human beings all over the world,’”
    1. Is that enough to be GDPR compliant? No. My understanding is that to be compliant you would wait to initialize the analytics until after you had received the user's explicit consent. Even then you would need to be able to turn off analytics again if the user later revoked their consent.
    1. almost any compliance expert will tell you that a lot of the GDPR is written vaguely and will need to be litigated. And that’s 100% accurate. But err on the side of caution until the courts can provide more clarity.
    1. Absolutely not! There is no GDPR cookie rule. That is a total myth.
    2. if the cookie is installed by your own site, then the consumer can decide ON THEIR OWN BROWSER, if they want to send it. Cookies are a data signal YOU ARE SENDING FROM YOUR OWN COMPUTER. If you don’t want to voluntarily submit a cookie, just turn it off.
  20. Nov 2019
    1. Clear affirmative action means someone must take deliberate action to opt in, even if this is not expressed as an opt-in box. For example, other affirmative opt-in methods might include signing a consent statement, oral confirmation, a binary choice presented with equal prominence, or switching technical settings away from the default. The key point is that all consent must be opt-in consent – there is no such thing as ‘opt-out consent’. Failure to opt out is not consent. You may not rely on silence, inactivity, default settings, pre-ticked boxes or your general terms and conditions, or seek to take advantage of inertia, inattention or default bias in any other way.

      On opt in vs opt out in GDPR.

    1. Although the GDPR doesn’t specifically ban opt-out consent, the Information Commissioner’s Office (ICO) says that opt-out options “are essentially the same as pre-ticked boxes, which are banned”.

      On opt in vs opt out in GDPR.

  21. Oct 2019
  22. May 2019
    1. Unsurprisingly living up to its reputation, Facebook refuses to comply with my GDPR Subject Access Requests in an appropriate manner.

      Facebook never has cared about privacy of individuals. This is highly interesting.

  23. Sep 2018
    1. E' altresì necessario accellerare la creazione di una struttura di certificazione del software nazionale che consenta di usufruire di tecnici che possano testare i software creati per la PA e assicurarne la conformità alle regole AGID e al GDPR (privacy by design). In tale ambito la capacità nazionale è attualmente molto limitata.

  24. May 2018
  25. Apr 2018
    1. A purpose that is vague or general, such as for instance ‘Improving users’ experience’, ‘marketing purposes’, or ‘future research’ will – without further detail – usually not meet the criteria of being ‘specific’”.[

      I see a lot of cookie notices that give vague reasons like "improving user experience". Specifically disallowed by GDPR?

    2. The GDPR permits the opt-out approach when the purposes that the companies want to use the data for are “compatible” with the original purpose for which personal data were shared by users.[6] In addition to the opt-out notice, users also have to be told of their right to object at any time to the use of their data for direct marketing.[7]

      GDPR can allow opt out rather than opt in.