Gaping hole in GDPR

Yegor Tkachenko
3 min readNov 28, 2019

--

Davidbena [CC BY-SA 4.0]

The General Data Protection Regulation (GDPR) was implemented by the European Union (EU) in May 2018. Since then, it has become the bane of website owners and Internet users alike, contributing to the global pop-up hell.

The wide adoption of intrusive pop-ups has been driven in part by severe potential financial sanctions promised by GDPR to website owners worldwide that collect and process data of persons located in the EU without their explicit consent (or without another legal basis under Article 6). The maximum fine under the GDPR is up to €20 million or 4% of annual global turnover — whichever is greater — for companies that violate its requirements (see GDPR Fines / Penalties section).

Yet, for all the chaos, trouble, and threats, there is a gaping hole in GDPR’s intended safeguards for user privacy.

The key issue is that authors of GDPR have not included in its text any specific requirements around the shelf-life of provided consent — that is, how long the provided consent (or non-consent) should be remembered for (see GDPR consent requirements).

Technically, what this omission allows for, is for companies to set up different shelf-lives for consent and non-consent.

If a user agrees to data collection and processing, the company could remember consent indefinitely; if a user refuses data collection, a company could prompt him or her to indicate consent again as soon as the next visit to the site (or even sooner) — continuously bombarding a user with such requests until consent is given, for example, by mistake or out of annoyance.

This undermines GDPR effectiveness.

It is well known in basic probability theory that the chance of observing a low-probability event at least once grows exponentially in the number of independent opportunities for such a low-probability event to occur.

In other words, even if a user does not consent to a site’s data collection policy in principle, as long as there is at least a small chance that the user might give consent erroneously on any given site visit, the probability of consent being given at least once approaches certainty with a growing number of site visits.

Once given, such erroneous consent could be remembered by the site owner for as long as the heart desires — unless the user explicitly revokes it (an opportunity users have a right to under GDPR, but may not be aware of).

Thus, current GDPR regime ensures that consent can be obtained with very high probability even from a dissenting user, assuming the user visits the site in question frequently enough and has a non-zero chance of clicking the consent button erroneously. This goes against the spirit of GDPR, but does not seem to violate its letter. The authors of GDPR may want to close this loophole.

Otherwise, the famous Biblical instruction “ask, and it shall be given to you” may begin to ring particularly true when it comes to consent-request pop-ups.

--

--

No responses yet