Ask HN: Someone have gotten troubles for not show “We use cookies, Ok?” message?

73 points by edgartaor ↗ HN

33 comments

[ 4.1 ms ] story [ 88.6 ms ] thread
They would have front paged HN if they had, so no.

It's possible an obscure case might have slipped through the cracks (ie as part of a larger case) but unlikely since it'd be great clickbait on a story.

I've always wondered why these cookie warnings are required to be displayed at the website level, with large, sweeping changes, and not the browser level. That seems much smaller, just as visible, and easier to enforce.
What do you mean by at the browser level? Should Chrome/IE/Safari 'know' the site uses cookies and show something in the browser as per the https padlock?

As an aside I do find it funny how 'bosses' insist on the cookie notice to make their website official looking.

> What do you mean by at the browser level? Should Chrome/IE/Safari 'know' the site uses cookies

Absolutely! How else does it know to store the cookie on the user's machine.

Storing cookies isn't the trigger for the warning; no notification is required for cookies that are essential for the basic navigation and operation of the website.

So how would the browser differentiate those cookies from ones which are being used for data collection and tracking, which do require the warning message? It would require some sort of intent-signalling protocol between the website and the browser, which is probably more complicated than just requiring the site operator to include a bit of HTML.

For practical purposes, you could approximate it based on whether the cookie is first-party or third-party and on the amount of time until the cookie's expiration. For the most part, first-party cookies with a short time to expiration are allowed without warning under the EU law, all other cookies require the warning.
Didn't IE or some other brower put a cookie in the address bar if cookies were used?
because the law says so, and the law was written by bureaucrats with no understanding of the industry or of the extremely predictable outcomes of their legislation
Because it's not about cookies.

The law is explicitly about 3rd party cookies, something that is harder to classify.

The intent of the law was to get website owners to stop leaking data to 3rd parties.

The result was everyone slapping a poorly understood warning label on everything.

If you're taking about the EU "cookie law" then it is neither about cookies nor about third party data. The summary is you can store data if they support the primary function of your site without the popup. E.g. you have a shop so you can place a cookie to track the cart but not cookies related to tracking what your user looks at. Despite the name the law is generic about data stored on users computer so cookies, local storage, etags, all are covered by that.
This is the type of law that only starts getting regularly enforced when there's a big headline worthy egregious privacy event that happens, that prompts the authorities to have to posture to save face and pretend they're acting to protect the well-being of the people. Until then, it isn't going to be meaningfully enforced, it's too comically absurd to be worthy of the effort for now. Enforcing it now would be herding cats. To do it properly they'd need a sizable target or three to hammer down upon, to scare everyone else into compliance; those target/s will be connected to the source of said egregious privacy violation, that will be the chain of events.
We have had advertisers/advertising networks refuse to work with us until we added it. I don't know if that counts, but it sure makes it difficult to opt out if you depend on ad revenue.
It's from the EU Cookie Directive, updated in 2015: https://www.cookielaw.org/the-cookie-law/

and it's going to get more complicated under GDPR and the ePrivacy directive:

https://www.informationweek.com/big-data/cookie-law-vs-gdpr-...?

GDPR is NOT limited to the EU, but is focused on protecting EU data subjects no matter where they are, so US companies may be affected. Many US companies are signing up for Privacy Shield, which is updated annually, so it will spread beyond the EU in the years to come.

Generally, when a visitor visits a website, which I call an interaction, then they must agree to its terms of service. This forms a contractual relationship. Contracts are private, and outside of things like not promising to do something illegal, it is up to each party to decide on its terms. In this case the website generally decides on the terms, and then the visitor opts into them through use of the website. Much of the issue lies within contract formation. When a lawsuit happens later, one thing that is frequently questioned is whether the contract is valid. A common angle is to claim the the contract is invalid because it was not correctly formed. Bad contract formation. For example, in a different setting, you didn't sign your name on the dotted line when buying a house or something like that, so there was never a contractual agreement, so there was never an actual sale, etc.

However, there is case law (law made by judges who hear cases and issue opinions) that says that sometimes contracts can be implicitly formed. For example, if you as a website visitor are given proper notice of a website's terms of use, and then you continue to the use website, you have implicitly agreed to the terms of the use. Even if you didn't sign anything, or check any box somewhere saying you agree. No explicit action has to take place.

Except, that is not exactly worldwide statutory law (laws passed by government and written down in the books with codes like Law #1234.56). While the issue of formation is mostly settled, there is still some room for creative legal maneuvering. Aka lawyering the shit of things. Aka screwing things up because someone with deep pockets is paying you to win using any angle you can get.

This cookies notice and agreement probably falls right into this category. And while it is generally settled law that the contract is formed even without this agreement, some schmuck somewhere still thinks there is wiggle room, but it is merely case law and not exactly authoritative, especially not in the international setting.

When in doubt, lawyers adhere to CYA. Cover your ass. Use the narrowest, most conservative, safest interpretation of the law. In this case, there is this tiny bit of doubt, so CYA. Just in case.

I personally believe you can make a good argument that contract is implicitly formed merely from continued use, and the notion of requiring express consent is outdated. The law is catching up to how things are done online, the trend is rather obvious, and anyone whining about it is probably just some established cash cow business that somehow wants to manipulate the market to further extend its antiquated business practices and is willing to spend millions on dollars on go screw yourself legal teams.

So, yes, you could theoretically get in trouble. But you are not likely to, and anyone suggesting otherwise probably has an ulterior motive.

I'm wondering why you wrote all that without mentioning European law?
This cookies notice and agreement probably falls right into this category.

....The cookie notice is mandated by EU Law...

case law is generally not as relevant in Europe as it is in the US.
Not quite as true in England, where Common Law is meaningful; e.g. only in the last 2 years or so have private car parking companies been able to put pressure on consumers to pay their fines because the Supreme Court ruled in favour of a private parking company.
Now, lets assume your website is not accessed via a secure connection and some third party deep packet inspects your website and removes your terms of service, without you noticing.

Is your contract still existing. Have really all your customers signed it?

I heared about Germany lawyers being on the hunt for sites breaking the laws like the cookie law. In Germany being sued can get pretty expensive pretty quickly, especielly for small sites. I wouldn't put anything online without a corporate body protecting my private wealth, which can be sued and go bankrupt.
Note that in Germany no corporate structure will protect the owner-operator of a small company from personal liability. This is through something called Geschäftsfüherhaftung which explicitly applies to mistakes regarding competition law (which are the legal actions you talk about) the director of the company makes personally.

The correct way to shield oneself from liability in Germany is to have appropriate insurance plus paying a lawyer to continuously check the business for compliance.

(comment deleted)
(comment deleted)
The cookie law is a symbol of EU red tape that adds no value to citizens. Browser tech is fast moving, there are so many other ways of finger printing a user, from canvas finger printing, session storage and background apps and extensions. The cookie law was invented by some EU non-technocrat that got offended when they found out they were being tracked. The fact is companies are getting away with it in other ways anyway, its a pointless regulation that cost companies thousands to implement across their sites but does nothing for no one.

http://nocookielaw.com/

Thousands? Message me I'll add 2 sentences of dismissable text for only 1 thousand
Developer here, worked at a ticketing company that had to update various sites with different styling for the popup box. Probably cost us a week or so or more work. Multiply that by tens of thousands of businesses.
My solution was to not use cookies. For a static (generated) blog, that's very viable.