Saw this today and now I’m reconsidering if Boost is right for me. I’m really hoping this is shitty boiler plate that was accidentally copied and over looked because that is some bullshit to say “unless we decide we want to use your personal data for whatever we want”.
I know “legitimate interest” is a phrase from the cookies law but there is no legitimate interest justification for this. My data is my data and I decide who has a legitimate interest in it so advertisers can fuck off, as can Boost if this the direction it’s going.
Edit to say this blew up. I didn’t realise I was kicking as big a hornet’s nest and haven’t read all the comments yet.
To be clear, what I don’t like about this and other provisions in the terms is the language and implications around data use. I’ve no problem with ads being shown - I want developers to get paid for the work they do and that makes it possible for users to have “free” access to software if they can’t afford to purchase.
I also want to add the response from Boost’s dev below to make sure it’s visible. You’ll see that it is boilerplate but required by Google and was present in Boost for reddit. I just hadn’t seen it because I purchased it immediately based on a recommendation. It doesn’t make me happy about it but does remove some doubts I was having about the direction Boost is heading.
I will be purchasing the app to support the dev because I do like Boost but I understand not everyone can afford everything so you’ll see some other suggestions in the comments below that don’t have any ads if you’re not happy with the free version and ads with their associated loss of data privacy.
Dev here.
The dialog and its content is not created by me, it is a standard solution from Google to comply with GDPR and other laws. More info here: https://support.google.com/admob/answer/10114014?hl=en
The consent dialog is also required by Google AdMob to show ads, and it is shown when the ad network is initialized.
When the app launches, first it checks for the remove ads purchase, and if it is not present, it will initialize the ads sdk. The ad network is not initialized if the remove ads purchase is detected.
Boost for Reddit was using the very same ad networks and consent dialog.
Tis is not not ok, actually. I’m a software dev for a European company. I’m briefed by our lawyers.
“Legitimate use” isn’t just a phrase from cookie law, it has a very specific meaning.
What’s legitimate use? Well, any data I necessarily have to store for our business relation I can store. For as long as I need it. For example: You want me to send you something? Gonna need to store your address. After I sent the package I don’t have any need for your address any more so I’d need your explicit consent to store it longer.
Another example for what is considered personal data: IP addresses. Which I store for as long as you watch my site, so that would be another example for a legitimate reason to store personal data.
Still I don’t get why they display this banner. To my knowledge it’s not necessary to inform the user about storage for legitimate reasons.
All that said, there’s plenty of examples of companies illegitimately storing personal data, google is a good example they were sued only yesterday (fitbit)
It doesn’t say “legitimate use” though, it says “legitimate interest”. If the former has a specific meaning then that specific meaning doesn’t apply to the latter.
The “legitimate interest” is also part of the gdpr. It’s when it’s in a company’s best interest to measure this data. Error tracking, for example, can fall under this.
Sadly, it hasn’t been challenged yet and is a bit of a “super bandaid” tracking agencies like to use (as they exist to track stuff, which would make any data tracking legimate). Hopefully some privacy agencies will pick this up soon.
That is not correct, or at least it’s incomplete. You make it sound like only the company’s interest matters, but it always has to always take into account the interests of the data subject as well, and if the two are at odds, you need to make a judgment on how to balance those.
Storing IP addresses for example falls into this - there is a legitimate interest of the company to keep its IT systems protected, and to do that effectively, storing IP addresses is necessary. This interest weighs pretty highly, and since the expected effect on the subject is minimal and there’s no less invasive way to achieve the same result, it’s okay to do without a way for the user to opt out.
Error tracking, is already a little more tricky - you need to have a good argument why you actually need the personal data to effectively find and fix issues, because most of the time, there’s ways to do that without processing personal data just as effectively (beyond the IP address of course being used when sending error reports).
Of course this is all just theory, and in practice, companies will often try to get away with way more liberal interpretations of what constitutes legitimate interest. My point is that legitimate interest as a concept is not the problem, and is actually necessary for the whole thing to work. The problem is companies bending the law and not properly being regulated.
And how often do you suppose that the judgement is made in favor of the data subject? To protect privacy?
Because I am going to guess never, and suggest it is naive to believe that it would ever occur.
That’s not how it works. The judgment isn’t a preference, it’s a decision made based on interpretation of the legislation.
If you decide to judge in favour of storing data and a legal body finds you in breach, you’ll be fined and forced to change your interpretation.
That’s why it’s such a minefield. Yes it can be abused, but yes you might get legally devastated for doing so.
The idea that companies can flippantly choose their preferred interpretation is paranoia, not the reality of how GDPR works.
This is useful insight but I think it’s important to remember that, as messed up as it sounds, different companies and their lawyers will interpret laws differently. It will be a risk vs reward calculation for each company. They won’t consider if it’s illegal or not, they’ll consider whether they’re likely to be prosecuted, what the fines would be, what the reputational damage would be, whether they have more lawyers than the government of a moderately sized country etc.
I probably agree with the interpretation you’ve given and would like the governments to go after companies that think otherwise but that sadly isn’t how it works.
Well, the authorities may be sluggish at best, but still your stance on this seems rather uninformed.
You should read up on noyb.eu 's work, and the lawsuits they fought. The max. fines for GDPR-violations is 4% of a company’s worldwide annual turnover, that’s something companies are taking very seriously, I know because I deal with it on a daily basis.
There’s still going to be companies who try to bend the law to their will, but they keep losing in front of courts.
by this logic, every use is a legitimate use. I mean how long is the “as you watch my site”? If you come back tomorrow and I want you to have a continuity in your experience, then I want to store your IP for more than what somebody else defines as “now”. Then what about a week later and then what about a month later?
Deutsche Bahn tried it with that reasoning. They’re currently being sued by digitalcourage.org and I’m confident they’ll lose.
tbf this is promising, but I’m afraid so many companies will just ignore it until they may have a case.
This was a lazy ass, lame comment so I deleted it. Fuck a lazy comment.