This is something I have not been able to come to terms with. I can understand requiring express consent to each item individually, rather than burying everything into a long ToS. But what I cannot understand is forcing me (as a service provider) into a contract with a customer even if the customer rejects some of my terms.
Cookie restrictions basically amounted to an additional clause in terms and conditions, the thing we're disingenuously treating as a contract.
Realistically no one reads them, not even lawyers. That is the expectation they we re written under. If people actually read before accepting, they would be 250 characters long. Very few services would put up with that much of a roadblock to signing up. Do you really think apple would tolerate an average iPhone sitting unopened for months while the user has the "contract" sitting on their todo pile along with mortgage refinancing and insurance paperwork?
It makes a mockery of the whole thing, reductio ad absurdum for the whole concept of consent...with side effects.
The dynamic this has created is one where the "contract's" job is to reserve all rights that can legally be reserved. There is no trade-off, no reason not to reserve any right. It's just silly to treat these as agreements.
The idea with unbundling is to break this dynamic. Encourage some semblance of informed consent where the user is party to these decisions.
Giving users an all or nothing proposition is a part of the problem. along with the insane levels of user engagement in legal boilerplate that would be required for the system to actually work the way we're pretending it does.
That said, I think it won't work. We'll probably have a more complex version of the current system. Services will still have an incentive to obscure... and turn consent into a click-without-readung-or-fuck-off nag screen. They may just need 4seperate ones now.
This just now means you have to be pretty darn sure you're choosing the right one (because, you've always had to protect and limit the amount of information you collect and process, now it's just much more explicit).
As with everything GDPR (and most digital regulations in general), the large companies will win as they have the legal teams to draft the statements and scores of developers in order to get the UX process sorted (or argue their case in the event something goes awry).
Examples include distance selling regulations (that provide the right of withdrawal) and limitations on what's considered an acceptable mid-contract price increase. GDPR adds extra restrictions on what privacy rights businesses are allowed to require consumers to opt out of.
So if you've done it correctly, the customer isn't rejecting your terms: they're exercising their options under the contract you've offered them.
In practice, this seems difficult and the relations of power in modern EULAs are fairly asymmetric. For example, in many areas there is only one provider of some needed service. like e.g. an ISP. Partial contracts and a certain emphasis on customer protection seem like a reasonable compromise.
I'm not sure what gives you that impression. If the customer rejects the terms, you are free to walk away.
The GDPR position is that the privacy rights are not something that customers can "trade away" in a contract, they're not for sale. If the customer genuinely wishes you to do that processing, you're allowed to do so; and if they don't, then that processing shouldn't be done at all.
The way it's written it has some similarities with sexual consent - just as a valid signed contract stating "I'll allow you to violate my arse for $1000000" legally cannot be a binding contract term (even in places where prostitution is legal) doesn't really give you the unconditional permission to violate my arse and that consent can still be withdrawn at any time; in the same manner a contract stating "I'll allow you to violate my privacy for $1000000" cannot be a binding contract term in any consumer contract according to GDPR. Just as many, many other terms in EU consumer contracts (e.g. binding arbitration clauses, voiding of warranties, excessive penalty clauses, unilateral changes in terms, etc) - even if the company puts it into the agreement and the consumer signs, they are considered automatically unfair and unenforceable.
Are we conflating two things here?
There are agreements which you ask the customer to sign which are required to provide the service: e.g "In order to send you the goods you required, you have to give us your postal address. These must only be used for the purposes of the business - you can't sell the addresses, without consent.
Then there are consents which are for non-essentials. e.g "We would also like to send you our newsletter and for that you need to give us your e-mail address".
The agreements are things that everyone needs to sign in order for you to carry out the business with them. Consents are the optional things and should be separated out.
Or am I misunderstanding you?
