To make Medium work, we log user data. By using
Medium, you agree to our Privacy Policy,
including cookie policy.
Without ability to accept or reject, just a close button. In fact I do not agree with their privacy policy, but by that time I am already tracked. In their privacy policy you see:
We share personal information with vendors, service providers, and
consultants that need access to personal information in order to perform
services for us, such as companies that assist us with web hosting,
storage, and other infrastructure, analytics, payment processing, fraud
prevention and security, customer service, communications, and marketing.
It is not trivial to report them to my local data protection agency, otherwise I would've done it already. But this is just pathetic if this is leagl, NoScript seem to be the only way forward.
logging can’t be done without consent, and rejection has to be as easy as accepting - in other words both should be accessible within one click
At the bottom of the page they have some notes on GDPR, they explain their "lawful bases" for processing:
"When we have a legitimate interest in processing your personal data to operate our business or protect our interests (e.g., to provide, maintain, and improve our products and services, conduct data analytics, and communicate with you)."
It looks like they claim legitimate interest. If I understand it correctly they make a claim that their use serves a business purpose (like for example limiting the amount of free articles), and the impact on your privacy is minimal. Which could be possible, for example Medium does not do ads afaik.
If that's the case I think you should still be able to "object" to the processing with a reason. At the bottom it says:
"You may object at any time to the use of your personal data by contacting privacy@medium.com."
Might be something to try.
I think it depends on if their claim of legitimate interest is valid. That can only really be tested when it's investigated after a complaint. But there is definitely some thought behind it, and I bet they had some lawyers work this out.
Personally, I think it would be better if they just asked for consent, but then they probably can't do the X free article paywall thingy.
> Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.