“We need these super high tech cookiemotrons to provide you with the best user experience possible. We consider it a technical necessity to meet your need to have your data harvested. You should be thanking us. We would explain further, but you’re too stupid. What are you gonna do? Have us testify before technologically illiterate politicians and fine us 1% of what we pay our CEO?.”
CEO pay seemed to be $356,952 at time of Slack's IPO.
Maximum fine under GDPR is the greater of 4% annual turnover and $23M. Slack's turnover is too small, which means the maximum fine is $23M, nearly 700% of CEO's basic compensation.
Regulations here have teeth; it's not the United States - and it's a good thing for society that they do.
> Regulations here have teeth; it's not the United States - and it's a good thing for society that they do.
sadly, the regulators are yet to show that the GDPR has any teeth. Most recently, the ICO gave British Airways and Marriott significant reductions on fines they raised last year.
£20M and £18.4M are still reasonably sizeable amounts - and given the pandemic has likely impacted BA & Marriott's profits substantially already, I think some sort of adjustment was likely the fair thing to do.
H&M have been fined £32M. This wasn't hugely far off the 4% annual turnover cap.
Compared to the previous Data Protection Act limits, these fines are definitely significant.
Google bot protection\re-captcha has cookies in google.com and ARE essential. but in the video you have some other stuff. So, at least for google you can't be sure.
When placing cookies, the bar to essential is actually really high.
It has to be essential and unavoidable for the delivery of the bytes to the browser, or it has to be essential for the requested functionality.
The UK ICO has some pretty good guidance. I'd not be confident at all arguing that recaptcha is at all essential under PECR, even though it may be a legitimate interest under GDPR. Important to note that PECR/ePrivacy directive actual goes further than GDPR when it comes to the cookie rule, and you can't use legitimate interest as a basis here!
"This means you are unlikely to need consent for:
- load-balancing cookies that ensure the content of your page loads quickly and effectively by distributing the workload across several computers."
You can put a lot of things in this exemption list. I risk to say, even Google Analytics.
Unless there's actually a captcha on that page, they aren't essential. Furthermore, you could argue that recaptcha itself is in breach of the GDPR as it collects a lot more data than necessary (captchas have been done just fine for decades without collecting any personal information).
Slack has no control over those cookies - but it is of course questionable at best that those third-party services are allowed to embed their crap by default. That's not a cookie consent issue though, strictly speaking.
This isn't accurate. Slack has 100% control over the content that goes on their site, and that includes 3rd-party tracking pixels and other mechanisms that lead to these cookies from 3rd parties.
I'd also be interested in an elaboration. It isn't much about the violation of the law itself but the violation of privacy; why do I have linkedin.com, spiceworks.com, techtarget.com, godknowswhat.com suspiciously dumping cookies in my browser?
