96 comments

[ 0.20 ms ] story [ 178 ms ] thread
My country is so great. How on Earth did we register 30% positive growth of third-party domains and 20% growth of third-party cookies?

(Good that I don't generally visit the local Internet much anyway.)

Third party scripts for dealing with GDPR requirements perhaps?
I'm glad the GDPR actually manages to enforce one of it's lesser talked about principals: data minimasation. What is worrying about this article is that it implies companies are using other, even less consensual ways of tracking users. Or maybe I'm reading too much into it.
That was my take on it as well:

> In a September 2017 study of 250 US digital marketers by Viant, about 60% of respondents said they will no longer rely on cookies for the majority of their digital marketing within the next two years.

The absence of any description about what they will use instead is frustrating.

Well if they talked about browser fingerprinting via javascript, someone would take a stab that too
Considering you cannot use cookies for mobile traffic, it's understandable that most firms are moving away from it. Fingerprinting and device IDs have been common for a few years and I don't think it will go away any time soon.
Why can't you use cookies for mobile traffic?
I wasn't clear enough and I apologize. You can use cookies but they will only be within the context of a singular app's browser. For example, suppose that you use two web browsers on your Desktop, Chrome and Firefox. If you visit xyz.com on FF, some cookie information will most likely be stored. However, if at a later time, you visit the domain on Chrome, it will not have access to the same cookie store.

This becomes important in the context of third party cookies that want to track you across apps. Hence why cookies are not a reliable method of identification on mobile.

Hope this clears it up. :)

Which is odd, since GDPR isn’t about cookies. Other means of user tracking fall under GDPR too.

(To clarify, it wouldn’t be particularly odd if companies were found to violate GDPR; but the selective move from cookies to other technologies doesn’t change the legal situation.)

The "Factsheet" this is about (7 page pdf - https://reutersinstitute.politics.ox.ac.uk/sites/default/fil...)

>All results presented here reflect site activity prior to obtaining consent; the picture may change dramatically once the user provides the affirmative opt-in GDPR requires.

So, meh.

Yep. If anything, things are worse now. You HAVE to give consent to do anything useful on the website (so blocking the notice won't work), and in the consent form it's usually very hard to turn tracking off, full of dark patterns.

Not legal from the perspective of GDPR, sure, but it seems that everyone is doing it.

/edit: downvoted for stating basic facts, amazing.

And I hope they will all get heavy fines for doing so. Let's see how well the EU will enforce the GDPR.
I honestly don't get why so many sites are even paying attention to GDPR. If they don't have a presence in the EU, it is irrelevant.
It is not. If their customers are in the EU they have to to comply.
What authority would make them comply?
I was specific. If I don't do business in the EU, it doesn't matter. I don't really care where my customers are but if they pay in the US, GDPR is not relevant to me.

I get that everyone is super excited about GDPR, but sorry to say most websites can safely ignore it.

> If they don't have a presence in the EU

Only sites with a presence in the EU are paying attention. The LA Times is a counter-example of a site that hasn't bothered with GDPR because they didn't feel EU users were worthwhile keeping.

However, collecting data on the 0.5 billion people in the EU evidently seemed worthwhile for most sites.

It seems strange to me that the LA Times would cut off European users, when they presumably have to comply with the new California Consumer Privacy Act, which is similar, anyway.
Because GDPR includes provisions for handling US GDPR violators, a lot of security vendors were touting up the idea that if a European fills out a form on your site or gets cookied for any reason, you could be sued.
So they'd file suit in the EU and... what would happen? Some sort of judgment that would prevent a company from starting business in the EU at a later date?
I don't know. Why are EU companies paying attention to American laws, again?
Largest economy and military in the world are big reasons to play nice with America
Military doesn't come in to this at all.

And similar arguments could be made for why American companies would play nice to the EU.

If I were a company I would target America first and Asia second. Due to increasing regulations, political uncertainty and lack of growth I'd shift the EU to third (it used to be an obvious second to me).
Fair enough, but you'd be missing out on a huge market. And unlike Asia, it has a single regulation to follow for things like data protection.

If your company was unable to comply with GDPR, many wouldn't want business with your company anyway, especially other companies who are trying to comply with it.

The US is not the largest economy. Whatever gave you that idea?

Except for military force and incarcerations per capita, the US is lagging behind in almost every statistic compared to China or the EU.

Detained during their connection in Frankfurt?
Honestly that is a classic "Come at me bro" type of moment. Sue me in the EU, it really doesnt matter if I don't do business there.
(comment deleted)
They won't. The ICO in the UK has already said they aren't interested in imposing fines [0]. They would much rather nudge companies into compliance.

> "The fine is really a last resort," she told Computing. "Even to get to the fine we have to go through a lengthy investigation that might take several months, then we have to take it though the courts. So fines are not our go-to tool."

However. I think with egregious cases like selling data. I am happy that the ICO fined a company for doing that. [1].

[0]: https://www.computing.co.uk/ctg/news/3027593/ico-theres-so-m...

[1]: https://www.theregister.co.uk/2018/08/09/ico_fines_data_brok...

It’s totally OK that fines are used as a last resort. As long as they will be used as a last resort.
Don't we have a glimpse of (lack of) enforcement based on previous incarnations of laws like this? What about this time is special? And why are laws crafted without ample enforcement mechanisms? At the least that makes them toothless, at the most it gives a piece of legislation that can be pulled out and used only when someone wants a reason to punish a company.
The difference is that GDPR does have effective enforcement mechanisms, precisely unlike previous laws. Now let’s see if they’ll be applied.
Mechanisms in the laws or the institutions? The difference is very important and many people, who agree with the intent of the law, have been pointing out this difference for a while now. Scribbles don't make something so. If the approach of just writing it down didn't work before, why just change words instead of approaches?
Both, if I understood what you mean: The GDPR regulation ((EU) 2016/679) contains provisions for legal enforcement, and describes which process and agencies are responsible for that.

Whether this actually works, only time can tell. But the fact that similar previous legislations went unenforced was a specific concern that the designers of the GDPR intended to address.

...which is not compliant. "Opt out everywhere" has to be the default when you click accept.

But for version 2 of GDPR I'd like to see something like: No landing pages. Content must be served on the first request. And no Captchas for Tor users.

I just don't use sites that won't work until you give consent.
(comment deleted)
That's idealistic. In my country all the news sites, as well as the local commerce sites do it. Where should I get local news from?
It is idealistic. Idealism is how the status quo changes for the better.

The short-term effect of GDPR is ugly interstitial pages and mandatory consent, but that's not the point of GDPR. The point is to make legally collecting user data difficult, annoying, and onerous in the hope that going forward more companies will eventually decide it's more trouble than it's worth. That'll only work if complying actually is a chore.

Call your local news site and complain if they aren't honoring GDPR to the letter. Call your country's ICO and complain to them too. Talk your friends and family into doing the same. Be a pest; the more annoying the better.

The reason GDPR exists is to protect people who do not understand the complicated world of online tracking. If GDPR is effective only when said people are on the front line of defense, than the GDPR has failed.

As a matter of fact, I do complain a lot, and I do file complaints about GDPR violations, but convincing my friends and family to even care about this stuff is science fiction (I've tried for over a decade now without success).

I dunno. Convincing my friends and family to care about Facebook's potential for abuse was science fiction, right up until it wasn't. Certain recent events in American politics took an issue that was abstract and invisible to the median consumer and made it very concrete and very visible.

Business and engineering culture around website construction is horribly broken with regards to user privacy. Changing that culture is going to take years of consistent pressure which existing interests are going to fight every step of the way.

In my opinion the ugly consent forms are the best thing about GDPR. A problem that techies have known about for years is now visible (and annoying) to the general public. Of course that doesn't restructure the entire internet overnight, but dragging the problem out of the shadows seems like a pretty good opening salvo.

This is actually non-compliant. Sites may not withhold service based on consent. They can paywall things no-problem, but users must not be forced to give consent at any point in order to use the service.
Well, this way you know what websites you should just avoid, because they're selling your data? The web is a large and open place, you don't need to give consent to anyone.
"downvoted for stating basic facts, amazing."

Most people who complain about this just don't want to admit that they're not actually stating basic facts.

Honestly, the upcoming ePrivacy regulation is much needed- the cookies opt-in/out needs to be handled at the browser level. The current setup is lose-lose for businesses and end users.

As a site admin, I have no problem honoring your request to not be tracked. I just can't wait until I don't have to deal with the nightmare that is OneTrust anymore.

You mean like the "do not track" request header?

https://en.wikipedia.org/wiki/Do_Not_Track

It never ceases to amaze me the number of companies that "value" my privacy but still somehow ignore the do not track header.

Well, Microsoft kinda dropped the ball on that one by making it the default (although they later changed that).
(comment deleted)
I don't feel like they did drop the ball there. By default I don't want to be tracked. I think that tracking across the internet should be opt in and users should be made aware of what websites are doing _before_ they start doing it.

I also find the idea of secret shadow profiles to slightly immoral for the same reason.

DNT is a flawed idea in the first place. DNT is based on the idea that users can opt out of being tracked by sending that header. But (e.g.) European privacy law requires having users explicitly opt in to being tracked -- the message DNT is meant to assert is the legal default under GDPR.

DNT only works if the assumption is that users who make no choice can be treated as consenting (which is no longer the case under GDPR). But if you set DNT by default you're not asserting "this user doesn't want to be tracked", you're just making it impossible to tell whether the user explicitly opts out or hasn't made a choice (and therefore actually do consent).

If tracking is opt-out rather than opt-in (i.e. if we disregard GDPR and similar privacy laws and go with how US startups have operated so far) that means DNT is no longer a reliable signal for opting out and thus meaningless.

Implications about consent and privacy aside, DNT only works if it is used with intent. In the absence of intent, by making it the default without the user's knowledge, it becomes ambiguous and therefore pointless.

To put it differently: if there had never been any browsers that set DNT by default (except maybe browsers explicitly marketing themselves as "privacy first" like Brave does), you could use DNT as an explicit assertion that you do not consent to being tracked. This means it could actually serve as a technical implementation to opt-out of any "implied consent" allowed by the GDPR and making use of your right to control your data.

But thanks to Microsoft randomly slapping on the header to piss off Google, DNT is now too ambiguous to infer any of that.

Yeesh... 80 cookies on average for news sites! Down to 60... how many different ways do they need to track one person?
At least it shows some decentralised competition! Instead of just Google and Facebook tracking you it's like everyone.
each ad network needs to track you separately. so most of those 60 cookies are not sending data to the news site, but rather to the ad network which bids to display the ad to you.
There's ad networks, but there's also the plethora of vanity metrics that management likes to collect to fill their charts which they will then use to impress stakeholders, with the hope of getting paid more than the engineers.

I could probably make a million dollars selling companies a "customer acquisition score" using phony baloney math if they place my script on their website.

GDPR doesn’t help anyone, so let’s pass more half baked regulations!

Let’s just ban companies from using the internet! That will stop internet advertising for good. Thank God smart politicians like me care so much.

In what way does it not help anyone?

It certainly seems to help EU citizens, like myself.

The GDPR made me switch my cookie policy, to using two Chrome extensions in tandem:

- I don't care about cookies: auto accepts all cookies

- Cookie AutoDelete: auto deletes all cookies

So now you can track me all you want... until I leave your website and all the cookies are gone (unless whitelisted).

I fucking hate GDPR policy making every website to show "Cookie Policy" ad pop modal. STOP. Every single time after I have accepted it, I come back the next day, I see the same modal again. I just accept it anyway, so stop. Stop this horrible UX. Sorry, but it really annoys the shit out of me. It does and I am pissed off every single time. If I accept, stop asking.
Are you blocking third party cookies in your browser? If the site uses a third party cookie to store your preference, then it may be unable to recall what you previously entered.
Are you using a browser extension that may be interfering with the website? I haven't had issues with website forgetting my preferences yet.

Also being in the EU I'm used to these cookie dialogues, except before GDPR if I wanted to opt-out (assuming that it was even an option) I'd often have to wade through multiple pages, opting-out of the tracking which would take a while, especially since they were usually using every dark pattern in the book.

Now with GDPR I still get the messages but everything is opt-in instead of opt-out and I can just click the (sometimes obfuscated) "I refuse" and carry on. It's actually a huge quality of life improvement as far as I'm concerned.

At work I don't have any third-party blocking extensions (I use Chrome). At home and on my mobile I do (I use Firefox Focus), but neither let websites to "remember".

Is there something I need to configure?

Firefox Focus deletes all data upon closing. That includes cookies where your consent was locally stored. That's why you're seeing it every time.
Yeah, but this problem exists even on Chrome which I have no extension.So Chrome has some built-in blocker interferring it?
GDPR doesn't make every site show cookie policies and popups now. It's entirely within a site's power to decide not to collect analyitics on their traffic, in which case they don't have to show or get consent for anything.

I know, that's so glib that it's laughable. That's the point.

We currently have a status quo where user analytics are very valuable while the cost of collecting them is minimal. That strongly incentivizes site owners to collect and store as much data as possible. In this moment we have a business culture and a set of engineering best practices that's grown up around those incentives.

GDPR changes the incentive structure by imposing a cost on the collection end, in the hope that site operators will start being significantly pickier about what analytics they want to collect, when, and from whom. The end goal is a cultural change in how we collectively build websites. But culture doesn't change on a dime. It takes time for the existing actors to accept and adapt to a new normal, especially one that's more hostile to their interests.

Be pissed off. Pissed off is an appropriate response to the horrible UX you're being exposed to. But be pissed off at the people showing you the horrible UX. It's in their power to stop, they just don't want to.

The dark patterns in play now to get explicit consent are pretty bad now though. Take Mashable for example.

On first visiting the site you are presented with the option to "Consent" or view more Options (where you can Opt Out of all - except you can't really because some require Opting Out on the specific Advertisers site). But if you do choose to Opt Out all, they will then show you the initial Option box on every visit to the site, where you have to go through the More Options route every time. And if you ever accidentally click I Consent, then they opt you back in to everything again and then never show you that option box ever again.

Note: I just picked on Mashable, but there are many, many sites following this same dark pattern.

This. I also found the Daily Mail decided that if you ignored the banner asking for consent and scrolled far enough down the page, it assumed consent for everything. Definitely shady, probably illegal.
GDPR requires affirmative action for consent. This was specifically touched upon in the recital 32:

> Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.

Enter Brave. And uBlock Origin. And DuckDuckGo privacy essentials.
Swap DDG Privacy Essentials for uMatrix and you won't get the cookie pop-ups _nor_ the tracker cookies, which is pretty swell in my book.

It breaks some sites, but after saving settings for your more commonly visited ones, you really don't notice it all that much.

Article 7 of the GDPR specifically states that "It shall be as easy to withdraw as to give consent."

> And if you ever accidentally click I Consent, then they opt you back in to everything again and then never show you that option box ever again.

If this is accurate, then this is another violation of the same article, which also states that "The data subject shall have the right to withdraw his or her consent at any time."

(comment deleted)
Dark patterns like that are explicitly not allowed and hopefully these sites will learn that if they aren’t going to be compliant then they might as well not show anything and just ignore the GDPR.
I had an interesting encounter recently:

https://imgur.com/a/i1hm1TQ

I'm not sure what conclusion you're drawing, the final two screenshots didn't have any explanation.

As far as I can tell, you've observed that if you force your browser to stop displaying the cookie preferences overlay, the hidden page becomes visible again.

Does this reveal something controversial that I haven't inferred?

The same thing happens on Forbes. Trying to opt out fails after "applying preferences" a few minutes.

It's of course bullshit.

I just HATE all the pop-ups asking for permission to use cookies now.

Seriously, having to opt-in on a per-site basis has led me to loathe the GDPR. It's a usability disaster. I never thought I'd hate anything more than the "sign up for our newsletter" pop-ups... but these are even more pervasive.

If I'm the kind of person who hates cookies/tracking, I'll just install a blocker and block it everywhere, and then whitelist any domains I need to.

It just makes me feel like the GDPR was a win for lawyers and legalese, and nobody else.

I think we should have a de facto standard element class for legal notices with no required user action, like legal-notice-no-action-required. Webistes use the css class, uBlock Origin makes it a built-in default element filter. Website owners can fulfill their legal obligations and users that proactively shape their browsing experience are all set. Neither side wants these things messing up the browsing experience so, unlike the ad wars, we can work together.
> I think we should have a de facto standard element class for legal notices with no required user action, like legal-notice-no-action-required. Webistes use the css class, uBlock Origin makes it a built-in default element filter. Website owners can fulfill their legal obligations and users that proactively shape their browsing experience are all set.

Sounds like P3P ( https://en.wikipedia.org/wiki/P3P )

> Neither side wants these things messing up the browsing experience so, unlike the ad wars, we can work together.

Personally, I absolutely want to know when sites are trying to spy on me and sell the data. Despicable crap like that should be forced out into the public, not quietly agreed to by the browser. That's exactly what GDPR is for.

> Personally, I absolutely want to know when sites are trying to spy on me and sell the data.

It's best to assume they're all doing that to some degree whether they tell you they are or not. For one, most of the world isn't beholden to EU law. Also, bad players don't play by the rules and by the time you know they're bad, it's too late.

> Despicable crap like that should be forced out into the public, not quietly agreed to by the browser.

But the cookie law doesn't fix that problem, or any problem for that matter. The notifications are 100% pointless and we're stuck with them because of a stupid law. If anything, having a standard way to block the notices might encourage more users towards a real fix for the tracking problems, which is using something like uBlock Origin (just don't tell that to the site owners that don't want users having tracking blockers).

GDPR gives sites a choice: either stop doing shady stuff, or ruin the UX. If a site's UX has been ruined, that's because the site has specifically chosen to keep doing shady stuff. Blame the site for being shady. GDPR is on the side of the users.

Note that GDPR doesn't say things like "cookies need a consent form"; rather, it requires that data processing is only performed if a certain valid reason is given. One valid reason is that the service offered by the site couldn't be achieved without the processing. That's fine. If something's not required to perform the service (i.e. shady stuff), the only valid reason for doing it is if consent is given; hence the awful forms.

It's almost like these companies implemented things in the shittiest way possible, to purposely sour your opinion on the law.
I feel like the DNT header could have been made a lot better if it worked alongside GDPR. Like, 0 = haven't chosen/prompt me (I want to pick exactly what cookies I want), 1 = don't care give me everything, 2 = functional, 3 = please don't track me at all. You could then just surface this per-site even in the browser, maybe in a way resembling the IE Security Zone settings with their nice sliders.
I don't think this would work as it makes it too easy to not be fully tracked. There are so many hoops to go through now because companies want to incentivise being tracked and punish those who don't wish to be.

If this was brought in through regulation, that's a different story.

The methodology behind this study looks okay but it isn't necessarily representative of real world use. The study looks at the front page of around 200 news sites in Europe with a browser cleaned of all cookies. However in all cases the IP address belonged to a machine at the university of Oxford so it probably had some history attached to it.

It shows some reduction in cookies served before user interaction but it isn't clear is this is due to GDPR or other changes that have been made over the 3 month period.

My summary is that the data found is not statistically significant given the relatively limited sample size and lack of any control sample to compare against showing usual variation over a 3 month period.

The GDPR should get one important update and that’s QUICK:

You shouldn’t be allowed to ask for consent to do tracking or targeting as a pop up. The site must be completely usable using only “required” cookies (to which no consent should be required if it only tracks a limited set of data) and any option to consent to anything outside this must be a hidden option.

That is: sites should have to work 100% without popups and shouldn’t be allowed to use “marketing cookies” (for tracking and ad targeting)

Otherwise we just traded one nuisance for another.

> The site must be completely usable using only “required” cookies (to which no consent should be required if it only tracks a limited set of data)

I think GDPR does actually say this.

> any option to consent to anything outside this must be a hidden option.

You're right that this would be a difference (although I imagine sites would still end up covered in dark patterns trying to get users to enable it)

Right. And ”hidden option” is perhaps the wrong word, but let’s say one that doesn’t prevent using the site/service in full.

Even supposedly serious outlets like WaPo does this. Full screen splash that says “by using the site you agree to targeted ads”. Why even bother with that when it’s so blatantly in violation? Isn’t it almost better to not look like you are deliberately in violation like that?

It’s not even a dark pattern, it’s just a big fat splash explaining how they don’t care about the GDPR and intend to show me targeted ads using tracking cookies.

I don't understand why there is so much negative impression of GDPR. Most businesses do not need to track users; they do it only because they can and it is not forbidden. Let me give you some examples:

- Wikipedia can serve you pages without knowing anything about you

- You can download and use Debian distribution without providing any data about yourself. Microsoft can do the same.

- Internet shops like Amazon or Ebay don't need to track you. They earn money when you buy something and if they delete PII after the order is completed they still have the money. GDPR is not taking them away.

- Google can work just fine without tracking users. They show advertisement in search results, they get paid for it and they don't need to collect everything you have typed to earn profit

- Youtube can show ads and get paid for it to completely anonymous users

- Android and Google Maps don't need to track you. You paid for them when you bought your device, you don't have to pay once more with your data and opt into dubious "help us improve your user experience" scams.

- Netflix gets money from you anyway and doesn't need to track you

- Facebook doesn't need to track you across the web. It can show ads and get paid for it anyway.

Look around. Most of businesses can earn money without collecting any personal information. The ones who can lose because of GDPR are only shady marketing agencies, legal spam conpanies, data brokers and three-letter agencies. I don't feel sorry for any of them.

We should think about better protection of privacy and anonimity rather than worry about profits of Californian corporations wanting to make everyone their product.

If you're looking for advertisers, all other things being equal, do you go with the advertiser who guarantees your ads will go to those most likely to have interest in your product, or do you go with the advertiser that will send your ads to random people?

Of course they _can_ serve ads randomly, but they're competing to provide the best value for those buying ads.

Corporations want cheaper ads; I understand that but I don't understand why I should be tracked. They should develop better ads without violating someone's privacy or anonymity.
Companies aren't paying just to show you ads. They are almost always paying for clicks on those ads that lead users to their website.

That tracking allows them to build more accurate models on what ads a user will click on and then tailor ads to the user causing increased ad click rates which results in more revenue.

And I'm not really concerned about the big companies. I'm concerned about all the news agencies that are barely scraping by with targeted advertising revenue. Remove the targeting and web journalism will get even worse as they have to layoff more people and resort to even more clickbaity news.

Without tracking the ad won't disappear, just some kinds of it can become more expensive and less effective; that is not a big problem. Companies can still show relevant ads: Google can show ads matching current search query, Youtube can show ads relevant to the video, and so on.

Regarding news sites, they have a lot of opportunities to earn money, for example, publish sponsored articles. They can also use subscription model. It is better than have mobile apps that scrap data from your phone, Google Maps that track every your step, and data brokers you never heard of but they have full information about you. We should not sacrifice our privacy only because someone out there cannot make the ends meet.

Google won't shut down if you stop it from tracking users' location. People will still search the internet and buy smartphones.