1,009 comments

[ 1.7 ms ] story [ 464 ms ] thread
It's time for a browser-level cookie consent API. The web interfaces are almost always a pain, especially on mobile.

This would also open the door to extensions that just default consent to 'no'. This can't be the default though, to avoid another failure like Do Not Track.

we already have that. it’s called your cookie settings.
I've been saying this for years. Cookies are already a browser feature. Browsers just need to expose a little more control over it
Firefox used to. But they ripped that out like every other useful feature over the years.
I don't understand why. This is exactly something that browsers should do.
They did? I haven't noticed a change in many years or using it. If anything it's gotten better with the availability of extra functionality through cookie autodelete and built in container tabs.
Me too... nobody listens...
How is this not solved by Brave + uBlock Origin or Disconnect or Privacy Badger?
1. Because websites keep bugging me about consent

2. Because website builders need to write custom things for consent

P3P https://en.wikipedia.org/wiki/P3P is a thing already, if perhaps a bit overengineered. It even works in IE6!
That's server-side (and dead). Cookie consent would primarily be client-side.

Otoh, we already have cookie-consent in browsers. Just don't accept cookies if you don't consent!

P3P also exposes a machine-readable semantics for privacy policies, which could be used by the browser to manage access to not just cookies but other problematic features as well. It's a lot more flexible than "just reject cookies" or the "DNT" header.
The issue is imho that the decision needs to happen server-side (so that a user with an incompatible client isn't slurped up by default), ergo the user-agent must declare the intentions of the user and the server needs to act on it.

P3P could be a hint for the the user-agent, but the user-agent would have to tell the server what level of tracking etc is acceptable to the user.

Do Not Tracked was not backed up by laws. That's the difference.
If the default was 'yes' (i.e. opt-in) then it's not consent.

The solution is just proper enforcement and education. Opt-out by law must be the default while opt-in requires extra actions. Just teach people to always click No and eventually the dialogues will go away.

A browser setting replacing the popups is part of the new EU ePrivacy Regulation, which is at the moment still being discussed. I hope it gets finalized soon, because there's a number of improvements in there.

https://ec.europa.eu/digital-single-market/en/proposal-epriv...

Thank god, I never understood the EU directives that didn’t consider that by making sure things were implemented at a browser level it would cause an order of magnitude less work for web developers/site owners and ensure a consistent experience for end users.
It boggles my mind why they didn't think of doing this in the first place. I've been annoyed by the stupid cookie law since it became a law, it's ridiculous to have every single website implement it differently when the darn browsers can just implement it.
The cookie law is 18 years old, browsers have changed quite a bit since then, as has legislative understanding of the tech field.
Having read through GDPR, I got the distinct impression that nobody involved in writing it really understood the technologies involved. There's a lot of handwaving about "reasonable measures" whenever they run into ignorance that's absent in the many chapters about inter-government protocols.
GDPR was explicitly designed to be "general". Specifying website behaviour is a bit specific for a regulation that wants to regulate privacy at a whole (in virtual and reallife interactions). Of course that also means that the regulation is quite lacking when it comes to specifics but that wasn't its goal. The goal was to be a fallback-law which regulates everything that is not explicitly regulated otherwise.

What you want is the ePrivacy Directive which "introduced" the cookie banners many years ago and its updated version which is (still) not ready.

What makes that different than the failed do not track header?
The DNT header must be honored by the remote service, similar to robots.txt.

Since the browser itself stores the cookies, it has the absolute authority to stop them.

So is this just going to be a different/easier way to configure per site cookies?
(comment deleted)
Yep, let's hope that becomes true - the last time I looked into[1] the situation, it seemed that the latest drafts have moved the settings back out of the browser.

I contacted my MEP at the time about this, and please do the same if you can voice your support for simpler, genuinely user-friendly and consent-respecting settings.

[1] - https://news.ycombinator.com/item?id=21914283

It's still there, page 27. They just refer to the browser as software providers, which is probably better, as it now covers internet software that is not technically a browser.
It seems ambiguous to me - my concern/question is whether the definition of 'software settings' could include the content of a web page itself.

That could lead us back to the current situation where consent dialogs are designed by advertising networks, and result in user consent fatigue.

Frankly, I'd be happy if sites just supported Do Not Track.
They do support it, if including it as a level of granularity for fingerprinting counts as support. :-)
This should've been what was done from the get go. Browsers have given us control over cookies for a very long time now. But hey, it's the EU, there's a reason the EU has a lack of tech companies. I'm sure that when they finally do what you suggest they'll screw it up somehow as well.
You want regulators to design APIs?
What I want is irrelevant. I have as much say about what happens in the EU as I have say in US politics despite being from the EU. The politicians will do something stupid regardless and then years later not understand why things are going poorly. Meanwhile the Germans and French will love it, because it screws those evil evil American companies. So, the regulators might as well design APIs. It's hard to imagine that it would end up any worse than their usual.
I'm pretty grossed out that the internet has been taken over by the government.

Blocking cookies should be done by users via software.

This is only going to make the barrier to entry higher and more expensive.

I have no idea what many small non tech businesses would do? Pay a few thousand every year when standards change?

> This is only going to make the barrier to entry higher and more expensive.

That's the point. We want the barrier to entry in widespread tracking to be high.

For what it's worth, you don't need cookie consent warnings if you use them only for functionality integral to the product you offer your user. For example, if you need to use a cookie to facilitate a logged-in user session, you don't need to warn them.

The only ones paying the high price is the people who use it to collect user information not essential to the service they provide to the user, for god knows what.

Actually, we want to to be so high that nobody (including massive companies) can circumvent user consent.
> Blocking cookies should be done by users via software.

That’s what is done.

The government doesn’t block cookies for you, they set the rules with user data, and the actors (service providers and users) act accordingly.

That’s how things should be.

I don’t want the governments to build or design software, I want them to set the rules and let browser developers and other actors react accordingly. If the reaction isn’t judged well intended or good enough, they are sanctioned accordingly.

Regulators designing, or at least mandating, an API isn't that weird a concept; for instance that's how PSD2 open banking works in some countries.
It’s called “using an extension to manage cookies”. There are dozens of extensions for this.

Encoding the usage of a particular (probably otherwise short-lived) technology in law is generally a pretty bad idea. Sure, have the EU write laws about cookies - the two outcomes are A) this becomes useless when people switch to a different tech stack that doesn’t use cookies B) we’re stuck using 30-year-old technology to try to get things done, at least for regulated industries like banking or government services. Like the IE regulatory situation in Korea but worse.

The gdpr does NOT plainly state cookies. It refers to any form of user tracking from websites!

Quoting recital 30 of gdpr

"NATURAL PERSONS MAY BE ASSOCIATED WITH ONLINE IDENTIFIERS…SUCH AS INTERNET PROTOCOL ADDRESSES, COOKIE IDENTIFIERS OR OTHER IDENTIFIERS…. THIS MAY LEAVE TRACES WHICH, IN PARTICULAR WHEN COMBINED WITH UNIQUE IDENTIFIERS AND OTHER INFORMATION RECEIVED BY THE SERVERS, MAY BE USED TO CREATE PROFILES OF THE NATURAL PERSONS AND IDENTIFY THEM."

https://gdpr-info.eu/recitals/no-30/

When a corporate lawyer hears a law explicitly list technologies like "IP addresses" and "cookies", they're going to (rationally) get scared when you step outside the clear boundaries of that law, and it's their job to place institutional pressure on technical people within the corporation not to do things that make them scared.
> the IE regulatory situation in Korea

I found this from 2013:

https://www.zdnet.com/article/south-koreans-use-internet-exp...

Anyone have an update to that story? I know in Korea they use a ton of apps to order things all the time now. Maybe this law was phased out, or just didn't apply to phones?

Not to take away from your broader point. Laws are just such a terrible development model. Everything's tested live and you can't easily revert anything.

The law is not about cookies, it's about an obligation to inform on and let users opt out of tracking features that go beyond technically necessary features.
The law uses the word "cookies".
Only once, and only as an example:

> Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

From: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL....

Seriously. If there was ever something that needs standardization, it's this horrible cookie law crap.
Oh boy this really has come full circle.

I'm an old dude, so I never understood why you would require websites to ask for cookie consent, when you can handle that more safely in your web browser.

That's like putting a sticker on your car saying "Don't come into my car" instead of just locking it. Why do you need regulation when you can just let technology solve it? No idea.

So NO! NO fucking cookie consent API! Just let the browser ask you when a cookie needs to get set... DAMNIT!

In my day, website used to be websites where you could read stuff. Anyone who wasn't able to predict these annoying popups after HTML5 and GDPR, is seriously blind.

(Sorry for the rant ;))

Yeah in your day websites were websites where you could read stuff. But today they’re massive interactive applications. It’s not even remotely the same.
Well, I don't want an article to be interactive.
I so agree with this. I find the level of admiration for this painful law absurd.

I'm stuck in Europe. I was fine without the GDPR. Now, I waste my time clicking "accept" because I don't have time to deal with this crap. Meanwhile, my university has hired what my stepfather would have called a "tweety little person" to police GDPR regulations. God knows what she does (she doesn't). God knows in what single way she has improved a single person's life. But she has a job now, and by God, she'll fight for it.

I care about privacy, but there were options to manage this already - like browser extensions. You could download them if you cared, and if you didn't want to, you didn't have to. Government regulation, demanded by zealots, has added one hundred tiny frustrations per day to millions of ordinary people, caused an expensive pain to thousands of small websites, and created a new, wholly useless compliance industry.

And is Facebook tracking me any less? Ha ha ha. Facebook can afford lawyers.

Wow, finally a like minded person!

The argument I always hear is "Ordinary people don't know about cookies so it's the websites responsibility". As if ordinary people now understand cookies.

It's all a big fiasco, supported by people who think theory works in practice.

> Anyone who wasn't able to predict these annoying popups after HTML5 and GDPR, is seriously blind.

Have you read the GDPR, though? Because in no way does it require "cookie consent", incidentally, neither did the previous "cookie law". The consent forms I've seen so far are all willfull misinterpretation, dark patterns, or both.

95% (if not more) of non-shady uses of cookies do not require consent, and thus don't need a consent popup. If you do implement one on your website it means one of several things:

1) You did not actually read or understand when/why you need consent

2) You did read it/don't understand, but are unable to figure out where all the stuff on your site is actually coming from and are thus unsure about the implications

3) You actually need consent (in case you are hosed anyway, you can't predicate usage on consent, so there's 0 motivation for users to ever consent)

4) Your purposely trying to annoy EU residents in hopes they will lobby against GDPR back in the EU

5) You're blindly copying what other people are doing, because thinking is hard.

Ah, I see you've never talked with a legal team.

1. Is there risk?

2. Does adding a consent screen reduce or remove risk?

3. Is the risk reduction from 2 less than the cost?

Congrats, now every website in the world gets a cookie consent screen even if not technically required.

The problem is probably that it’s a European-style law, being read by U.S. lawyers. Those lawyers interpret every word strictly and worry about what the most negative interpretation might mean, and assign risk accordingly. European lawyers know that the spirit and guidelines are what matter, and say “as long as you can plausibly show that you made a good-faith effort to comply with the stated intention of the law, you’re fine.”
See, I'd be with you with this interpretation, were it not for the fact that a solid >70% of consent screens I've seen blatantly violate the GDPR in a number of ways, so if this process is what happened, legal done fucked up.

Not "subtly getting a minor detail wrong", but "doing something that is explicitly mentioned as not allowed" levels of wrong.

Unfortunately I had to read it for my own website, and have applied it properly. But I'm technical and can actually understand it.

But 99% of businesses owners went to full panic mode and went straight to your point 5. "Our website needs such a popup".

Do you think the general public now understand cookies? Of course they don't.

Seemed all pretty obvious to me.

But it's not cookie consent, it's tracking consent.
You don't need an API for it. Browsers can reject cookies at a protocol level (by simply not sending cookie headers), and indeed used to ask users whether they wanted to allow cookies from a certain domain or not.

You can disable all cookies altogether in at least Firefox and Chrome. You can make them only last for the current session.

The problem as always is that, like Javascript, some cookies are still useful (saved login and 2FA status).

Power users, upon request, should be presented with and asked to accept/reject/blacklist/whitelist cookies.

Interestingly the only browser I know of that does this is Lynx, which is text-only and does not support Javascript.

I use Brave + uBlock and get nearly this exact experience. Disconnect and Privacy Badger also work well.
I use uBlock as well, but it doesn't have a convenient interface that allows me to inspect and modify cookie permissions.

What is your workflow when visiting a new site and figuring out what cookies to allow?

Then it's not so much a cookie consent API we're looking for but an "unwanted cookie" consent API. Issue immediately becomes political, which IMO is why previous attempts at such (Do Not Track header) have failed.

With browsers you can of course default to blacklisting all cookies and add exceptions as you go. I did this privately in Firefox until I was sent to work from home during the pandemic, after which figuring out what cookies I needed to enable to get Teams to work proved too much of a hassle.

It has nothing to do with political consent. It's a matter of providing a user with better UX for cookie management, precisely because "blacklist everything from this domain" is too broad.
It is worse than UX issue - it is a billateral UX really for what both designers ans usere can do tying functions together to "subvert the purpose" in combinatorial explosions.

The political is in trying to limit the options to either party like the Computer Fraud Abuse Act charging someone for entering in every possible phone number into a phone directory. The extreme unlimited (il)logical extreme is "If the user is capable of exploiting several 0 day escalation of priveledge attacks to download all of the credit card information and then delete the website that is on the designers for making a shoddy website" being legal. That would be a pure "no politics" UX system with many obvious and inobvious side effects.

It's not just cookies though, it's tracking in general which you should also be able to turn off (but impossible at browser level).
Do Not Track was a failure because no state actor was forcing private companies to comply. Even if it had been an opt-in solution, no company would have respected it.
Interestingly DNT was used by Medium to some extent.
It's sad that I need to ask what "used" means in this context, but did they respect Do Not Track or use it as a tracking point?
They respected it in the sense that they didn't load external embedded content that didn't respect it.
This seems like it should have been handled as a browser feature, not an add-on to every damn website. Especially since they tend to somehow forget that you clicked accept or reject and keep asking you.
Whats harder, change 5 browsers or 2 billion websites.
The big question: what makes more money for lawyers (who write & vote on the laws)?
Nah, the Illuminati are funding it. It’s fine.
True, its probably easier to collect rent indefinitely on websites rather than convince Microsoft/Google/Mozilla/Apple to change their browsers.
This is handled as a browser feature. Regulators just did not care - and most probably did not know about that.
It probably wasn't in 2002, when the current cookie law was written. The new ePrivacy Regulation does want to replace it with a browser function though:

https://ec.europa.eu/digital-single-market/en/proposal-epriv...

Internet Explorer 6 gave you control over your cookies. It was even recommended that you would set the slider to block all or most cookies. I'm unsure about previous versions.
Contrary to popular belief, the "cookie law" doesn't only concern cookies, and it does not concern all cookies.
how can the browser know what a cookie is for?
The browser can ask me if I’m willing to accept cookies from a given website and remember my choice. It already allows me to do most of this, just does not have the pop up UI.
Perhaps browsers could look for a /cookies.json file that provides more information in a standard format about what the cookies are and why they are needed.

Then the browser can display this however it is needed and let the user decide which to accept. Plugins could also automate this for the most popular websites so that only the necessary ones are used.

I just block all non-first party cookies with uMatrix. It's not perfect though and sometimes others have to be enabled, especially Google otherwise you'll spend your life completing Captchas.

Legally they have to show the consent screen again if anything changes, such as them working with a new vendor, of if the IAB releases a new version of the Global Vendor List.
Definitely because this whole concept of consent, choices and protection against tracking done via modals operating on cookies or other temporary forms of settings, is pointless if the browser cache is being cleared either manually or automatically by predefined parameter or, when user accesses site via different browser or machine. The multiple devices ownership is another issue itself - everything becomes a logistical nightmare if user would like to set its choices on each of devices it interacts with, for each of site it wants to use or access. The problem seems to be almost non-existent if browser handles the choice - but then another issue emerges: how, what to display when users wishes to not being tracked. Timed content? Reader's view? Plain text?

DNT exists but either is not respected or as I've read around, being used to sieve out and track those who do not wish to be tracked.

In a perfect world where everyone is playing fair, site owners would be able to convince users that tracking is beneficial for them and such benefits for users would exist and would convince users to whitelist sites. But sadly, our reality is different and we're facing the aggressive modals - "give us consent or else you won't see the content".

I do understand that there's a need of earning money but this shouldn't be done by deceptive tactics of dark patterns and empty "we care for your privacy" slogans. But then I also don't believe that we'll face another "revision" of how tracking choices are handled done by regulators - not with Google around who's implanting this idea that Google Chrome is the Internet and we don't need address bar.

Can we kill off anything that takes more than a second or two to 'not opt-in' as well?

It's obviously against the spirit of the law to have 200 different boxes that must be individually unticked, or the sort of nonsense that Oracle were pulling a while back (maybe still do) with the intentional delay spinner if you don't 'opt-in'.

it is against both the spirit and the letter, as preticked boxes are not considered a valid opt-in.
(comment deleted)
It's amazing how stubbornly site operators are clinging to tricks to get user data as if it's not all prohibited by GDPR.
They're used to stonewalling USian regulators who will capitulate after a round or two.
Well, would you rather the site just not exist then? Because I'm pretty sure that most of these sites already aren't making much money. If you make it much much much harder for them to get money then they won't survive.
So then shut them down. There is no human right to run a profitable website, there is however a human right to privacy.

If you can't run a website without literally violating the users basic human rights, then just don't.

Users have a choice to use the website. Do you complain that a bar is violating your basic human rights if it has a camera in it? Should all bars with that be shut down? Same for shopping centers and everywhere else. If you don't like it then simply don't use the website. It's really not that difficult.
the GDPR does apply to a camera in a bar. As long as it is used exclusively for security and data purged regularly, it can be claimed to be required.

Certainly the bar owner cannot distribute the videos without explicit consent. And yes, that can be problematic in many cases (for examples, capturing faces of people in a concert).

(comment deleted)
GDPR definitely applies to cameras in bars or shopping centers - in fact, much more of GDPR enforcement has been about issues such as those, the web world is not that important.

If a shopping center would want to distribute surveillance camera data to 'trusted partners' for marketing research without informed consent of the customers, that would definitely be a GDPR violation, and there would not be a "if you don't like it then don't go to that supermarket" situation but "if your supermarket can't survive without that income, then tough luck".

there is this misunderstanding that GDPR is only (or primarily) about cookies or even online presence.
> Users have a choice to use the website.

Correct, and thankfully website operators don't get the choice to violate users privacy without consent.

Yes, I would. I would prefer that adtech as it is became unviable. People will come up with better schemes to pay for content online. Just showing ads without the ubiquitous targeting and tracking worked fine for television.
(comment deleted)
No, it didn't. It worked horrible for television. Every hour of television was filled with over 15 minutes of ads. It was horrible for the consumer.
The harm that can and most likely will be done by under-regulated trade of peoples intimate information is far greater than the harm of showing them ads. Targeted disinformation has already made a huge mess of US politics. Turning "personal computers", phones, and IoT junk into surveillance devices a la 1984 was either profoundly short-sighted and stupid or a very clever attack on individual liberty and agency, depending on intent of each actor involved. To the extent that knowledge is power, people are being tricked into giving up far too much. I say tricked because of what isn't immediately obvious when transacting with some tracking system on an otherwise free website:

When you give up a small piece of seemingly insignificant data about yourself a million times per year, the aggregate is wildly more significant than the sum of those pieces. When you and everyone you know give up the aggregate of each persons aggregate information, again, its value is compounded. Finally, since no one has any insight into nor control over where their data ends up or how it's used down the road, the danger of sharing is even less evident.

Good can and does come from transparency, but this is one-way transparency. It's top-down and is begging for abuse. If we had a truly voter-representative government, it would have already created laws to mitigate the easy-to-anticipate problems that arise from massive accumulations of personal information, and we would no doubt have a better, if less profitable, WWW as a result.

It's even more amazing how regulators have been tolerating such blatant abuses instead of just grabbing the Alexa Top 1000, filtering for sites in their jurisdiction, and then going top-to-bottom slapping every violator with a fine.

Start from the top of the list every month, and slap any continued violator with 10x the previous fine. Go as far as time allows within the month.

I bet by the start of month 3, 90% of the sites would be compliant instead of 99% of them blatantly violating the rules.

I would define this as: if a site deliberately makes it any easier to "opt-in" than not, then a user giving up and just clicking the opt-in does not constitute freely giving consent, and any data gathered that way is not in compliance.
It's already in there. Article 7, third paragraph:

> It shall be as easy to withdraw as to give consent.

Imagine seeing some 10 million euro fines over that. Would be glorious.
I believe withdraw is after the fact, while what we need here is an option to reject the consent in the first place.
If the rule was applied literally and strictly, that would be even better.

Is consent given by agreeing to a huge banner that pops up anew every time you load the page?

Fine, you can do that, but then you have to pop up a huge "withdraw consent" banner every time a user that gave consent visits your site. Which you probably don't want, so you can't do the obnoxious opt-in banner either.

In practice, that would make any obnoxious way to ask for consent untenable, because you couldn't use it to annoy users into consenting (and staying in consenting state).

And I feel even that is giving publishers some leeway. Even if a button is theoretically as easy to hit as another button, if it's just a bit of underlined text vs a button with a solid and bright background, they'll still get most of their users "consenting".

(I'm wondering if they're teaching me to hit the de-emphasised button by default.)

I'd base it if clicks and not time. You shouldn't need to do more than 2 clicks and any usage of the site for that process shouldn't be deemed implicit consent.
Both are necessary. Otherwise, you get the 'opt-in = site loads immediately, opt-out = site takes >1 minute to load' scenario and everyone opts in anyway.
Thats actually what the new ePrivacy regulation is planning. It's just not been adopted still, although it originally should have been 2018.

To quote:

"Simpler rules on cookies: the cookie provision, which has resulted in an overload of consent requests for internet users, will be streamlined. The new rule will be more user-friendly as browser settings will provide for an easy way to accept or refuse tracking cookies and other identifiers. The proposal also clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history) or cookies used by a website to count the number of visitors."

Source: https://ec.europa.eu/digital-single-market/en/proposal-epriv...

Finally! EU should have required browser vendors in the first place to handle the intent of the privacy regulation on GDPR, to avoid having this discussion...
The extant ePrivacy directive is from 2002.

So... maybe you should go back in time and tell the EU back at the turn of the millennium that...

Oh, so why it didn’t happen so that browser vendors and W3C did not add some HTTP header to disallow tracking, and browsers did not represent users options to manage their privacy, instead of these mandatory annoying popups?
A law requiring websites to honor 'do not track' header would be sufficient and require no big changes to internet protocols or browsers.

People say that DNT failed because it was selected by default - but no, it failed because compliance was voluntary. The EU principles require explicit opt-in confirmation, so a browser setting that's set to "not track" by default is a reasonable way to do it, it only needs enforcement to ensure that websites (in EU jurisdiction) treat the DNT header as binding instruction to not track that user.

There are plenty of laws that would have been sufficient.

One of them would be to make browsers responsible for providing sensible defaults. And while the public perception might think the webpages are at fault it was the browsers that were responsible for storing and broadcasting private data. Arguably without clear and informed consent.

Of course there are problems with requiring software to have sensible default settings, but I reckon most problems with any legislation are due to the fact that none of them address the fact that cookies are a perfectly private system (with the user in full control of their own data) provided browsers don't send this data with every request without permission.

It's been a little while since I researched[1] this, but I'd recommend spending a little time to find out what the latest state-of-play is.

There was definitely a prior movement to push these cookie consent settings down to the browser (where I think they have the most chance of being respectful of the user and their consent choices) - but the situation changed later during subsequent ePrivacy regulation drafts.

Please voice your concerns with your MEP if you can - displays of support can and will change policy directions.

[1] - https://news.ycombinator.com/item?id=21914283

And while we're at it, let's forbid putting a cookie in your browser that says you opted-out as the opt-out mechanism. It's so stupid. I specifically said I didn't want any of your cookies on my machine, and now to not get your cookies, I have to accept a cookie. Nope, just blocking all cookies instead. If that makes your site not work, I'll just tell my friends your site is broken instead of sending them links to it.
> Hence cookie walls that demand ‘consent’ as the price for getting inside the club are not only an oxymoron but run into a legal brick wall.

This seems like a slippery slope situation. What if you require people to login, signup, or pay to access your content?

There is certainly some sites out there that reasonably require this. How do we define the boundary between the two?

This is... okay, obviously? Depends on what the consent is for. Tracking for targeted ads? No. Logged-in personalized content or subscription? Yes.
The cookie consent wall is only a solution for sites willing to drop third-party cookies.

You can still require anything regarding your own website to access it, including cookies, as long as those are needed for the correct functioning of your website.

What this clarifies is that you can longer restrict your website access to people "consenting" to have tens of other companies dropping cookies on them.

> What this clarifies is that you can longer restrict your website access to people "consenting" to have tens of other companies dropping cookies on them.

This is the same thing as forcing a religious baker to make a statement cakes that violate their religion. If you don't like how a site works don't fucking visit it! Every modern browser has a setting to block third party cookies as well. Forcing web site owners to serve customers who don't like the business model of the site is Orwellian.

No, it's not orwellian at all.

There a ton of things you can't ask as payment for your services. It may be physical (let's say body parts), or conceptual (let's say the user freedom of speech). Those things can't be enforced by any contract, however you want to write them, and even if you somehow got someone to sign on it, it would still be void.

In the EU, we deemed suitable to add "privacy" to the list of things you can't legally ask a payment for when providing a service in the form of a website.

That's it. Maybe that's shocking for you, but it's not for me, it's not for the people I voted for, and apparently it's not for quite a number of people and so, it passed.

If you don't like how the law works, well, don't live in the EU ? You can find a lot of countries where this is isn't a consideration, and that may suit you better. Otherwise, well, you've been pwned by democracy. Tough luck !

(I won't begin to adress your comparison with the baker, because, well, I can't begin to make sense of it.)

>If you don't like how the law works, well, don't live in the EU ? You can find a lot of countries where this is isn't a consideration, and that may suit you better. Otherwise, well, you've been pwned by democracy. Tough luck !

Democracy? The commission doesn't get elected. The commission is the one to create the laws. Furthermore, most of the voting in the Parliament is done by people not even in my own country. This means that they don't have to care about what I want at all, as my vote has zero effect on them. And if the EU keeps going the way it is then I'd definitely like to get out, because the only thing the EU does is legislate while the bloc's economy has been doing poorly.

Eu lawmaking in a nutshell:

Commission (leaders of which are selected by your government that you presumably voted for) makes a draft.

Commission consults widely (usually online consultation) and all national ministries comment.

Commission redrafts and sends to parliament and council.

In the council your government has (most of the time) veto power.

In the parliament your and other countries delegates vote on it.

Then parliament (people's representatives) and council (national government representatives) sit together, find the middle ground of a final draft.

Parliament and council then each do a final vote.

Depending on the exact type of legal document it either enters into force right away or your national administration, parliament and government create their own national version of it conform to the EU document and make that a national law.

That's a pretty heavy process but it's just wrong to say that the voters don't have influence. National governments and delegates both can say no.

Now is the parliament representative just because people are not from just one country? Is your national parliament representative even if there are people from different regions/cities/...? Is your major democratically elected just because that other suburb also got to vote? That's just an absurd position.

(comment deleted)
The commission is indirectly elected. Your democratically elected leaders propose the commission, i.e. the Council of the European Union [0]. I guess in US terms it could be thought of as more similar to the senate?

After being proposed they are then democratically confirmed by the parliament which you directly elect.

Which part of this is not democratic?

[0]: https://en.wikipedia.org/wiki/Council_of_the_European_Union

Well, that would be a completely different and interesting discussion, but I don't think it's really relevant to the point I'm trying to make ^^
I don’t live in the EU but I still have to wade through pointless popups, banners, and other bs.

Also don’t lecture me about democracy. Democracy is the same thing as gang rape. Majority wins!

the page loads without any tracking cookies etc...

on that page there is a login/register button..

registration processes gets consent for any personal information storage and processing..

where do you see the issue? not tracking people and cookie consent etc. only ever seem to be an issue if you are trying to silently track people, i have not seen any issues when you actually genuinely seek consent

For login, payment etc you would have "technical" cookies, the ones essential to run the site. They don't need a consent.
Pretty ironic that this is coming from techcrunch. I get the yahoo consent wall every time I try to open their links.
Their cookie wall is definitely not GDPR compliant, I am not sure why this is not reported yet.
Why do they even run a story where the main takeaway is "The site you are reading this on, is breaking the law"?

Is TechCrunch some kind of bot aggregated site? Or is the irony just lost on them?

I'm willing to bet the writers have never seen the site in its modern form.
Please just let me opt out of this cookie consent idiocy. How are we making anything better with all these cookie consent pop ups?
NoScript goes a pretty long way to making the web usable again, especially on mobile (attn web developers: don't like people using noscript? it's your fault. fix it.). There's also this, although I can't vouch for it personally: https://www.i-dont-care-about-cookies.eu/
I use it on firefox and it works very well. I think it doesn't support every website out of the box, but I've never came across one that it didn't work well on.

The prompts were turning me crazy especially since I use a few privacy extensions that made it impossible for the websites to remember my settings. It meant even browsing the same website lead to one consent form per page I clicked...

I agree, I just love that's it's now legally required for the vast majority of sites on the internet to have a popup.
No, it isn't required for sites to have a popup. There's a thousand less shitty ways web devs could implement this, up to and including just not using 3rd party cookies. But that's harrrrrrrrrd so we turned the web into a huge mess of crap.
Well, technically speaking you can get away with having no cookie pop if you ONLY use "strictly neccessary" cookies. Even if you use cookies to remember the user's preferences that make using your site a more enjoyable experience you have to have a cookie banner.

See here, under "Cookie Compliance": https://gdpr.eu/cookies/

That doesn't need to be a banner. You can ask for permission at the point someone tries to save preferences.
The link you provide is not a DPA nor a EU body. I would advise getting better sources, as cookies to remember user preferences are allowed without consent.
Because the alternative is to just accept all or accept none; the publishers do not want an accept none by default because that means they get no relevant data anymore. The consumers do not want accept all because that's what the GDPR is about in the first place.
Just enable "Fanboy’s Annoyance" list in uBlock.
> Please just let me opt out of this cookie consent idiocy.

This addon [1] will let you do just that. You can configure it to tell all sites to slurp as much of your data as they want, if that's what you prefer.

> How are we making anything better with all these cookie consent pop ups?

"We" are giving people back control over what happens with information about them. This is widely considered a good idea, though perhaps not near you ;) The pop-up part can be automated by software if you prefer a one-size-fits-all configuration, as described above.

[1] https://addons.mozilla.org/en-US/firefox/addon/consent-o-mat...

Add-ons like those should scare you because they give a small third party free access to every web site you visit.

With auto updates, you can't even verify that it isn't doing anything unwanted just once.

It could easily make sense to the developer to one day sell to someone who wants to do bad things which is commonly what happens with these.

I wish this wasn't true because add-ons like these are powerful and required for the modern web.

> Add-ons like those should scare you because they give a small third party free access to every web site you visit.

I think that they should scare you because they're, not surreptitiously but by design, consenting to innumerable requests to share your data without your interaction; but I guess to each their own scariness.

> "We" are giving people back control over what happens with information about them.

No. We are training people to click on every button and consent to anything that they are presented.

I don't click every consent banner and you also shouldn't. You'd be surprised how many accept a No just fine, which is the intended use.
> I don't click every consent banner and you also shouldn't.

And the regulation isn't for tech-savvy power users, it's for the general population. And they do click every consent banner.

Windows Vista's UAC modal was a good example of this.

Even the most tech-savvy HNer was clicking through those without any thought and soon turned auto-consent on (aka disabled UAC).

I find that GDPR compliant resources to be more trustworthy, even though I am in the US. It shows a desire to comply with regulations that provide me with information I otherwise would not be privy too. Like, how the cookies are being used. This is the most important part, for me, because usually by reading a platforms "cookie spiel" you can usually get a feel for the companies culture with regards to privacy and determine their ad network affiliations.

A cookie policy with lots of legal jargon that's 5 pages long and impossible to understand is probably hiding the fact that the visitors are the only product of that platform.

On the other hand, if the cookie policy is straightforward, honest, and transparent I will be more likely to engage with that platform, even if I am the product. Less information will never make you safer or more well equipped. Especially in cyber space.

Think of it like getting a contractor for your house. Do you want the guy from Craigslist who only takes cash or do you want the licensed journeyman with insurance who invested in making sure he is well equipped and minimally liable?

This 100x.

Provider that gives me 1-5 check marks to make once (and where the default settings are "off"?) - trustworthy. Anything like Verizon properties which gives an intentionally bad UX with thousands of clicks, information overload, dark patterns where 'accept' = 'accept all' even when you unchecked some boxes.. all this tells me I don't want to support this site.

And gdpr does much more, I don't think Google and Facebook exports used to really be possible so easily.

I hope it's teaching us that the next time some ivory tower bureaucrats suggest something, we'll assume they're full of shit and make it a lot harder for them to pull this kind of garbage.
If your takeaway is that GDPR is the problem in this equation, I can do nothing other than strongly disagree. It quite possibly could be better drafted, but oh boy is personal data hoarding by companies a huge problem, and would certainly not be lesser without oversight.
Why do you think "personal data hoarding" a huge problem?

I see it as MY data and YOUR data is pretty worthless. Aggregate data has value, but then that doesn't contain much insight about any individual at all.

Isn't it true that the more people's data you have, the less it says about any individual?

> Isn't it true that the more people's data you have, the less it says about any individual?

I don't see why it would. Unless legally compelled not to, why wouldn't you save both PII and aggregate?

That's not the law, that's the implementation that's the issue. The same EU body quoted above has passed the message for a long time that that's not needed eg for purely technical cookies.
There has to be a better way to regulate technology rather than changing the document. Why not a browser plugin?
The part about having a genuine choice is basically ignoring the choice of not interacting with the website beyond reading the cookie message. I understand that it's a shitty choice but it's at least there. This essentially forces the site owner to provide content without it's side of the terms being allowed to be required.
That's not true. It forces the site owner to provide content under its own terms as long as its terms does not involve non necessary functionalities provided by other companies. You can still enforce you own terms, but you can't enforce the GAFA cookies at the same time.

Said otherwise, your terms of service must be privacy-sensible, which is indeed the very goal of the law.

It's a shitty choice, which is exactly why it is not a genuine choice.

And yes, that is exactly what it does. That is the point. We have decided that that is a good thing to require.

I don't give the slightest fuck about GDPR because of the dumbass cookie popups they forced on every single site.
It baffles be that people are mad at the GDPR for making websites be clear about how they share your privacy data instead of being mad at websites for not changing the way their operate in order not to need such a pop up in the first place.

Advertising is a hell of a drug.

adblockers should at least block these consent popups
Who really gives a shit about advertising cookie tracking though? Just a few purist geeks on their high horses. And the rest of us suffer with these popups.

I blame the GDPR for being drafted in a way that allowed this mess.

This is exactly the reason the law exists: that people can't actually be expected to understand the consquences. I sure don't - so I'm glad someone else looks after my interests.
I can imagine how you can believe that privacy is not a significant or real concern, what I can't imagine is how you think your annoyance with cookie permission popups is somehow more significant.
It's more significant to me. In-your-face consent pop-ups are a multiple times daily annoyance. Targeted ads while creepy don't interrupt your task. After all you will be seeing an ad anyway, whether it is targeted or not hardly makes a difference.

This "cure" is worse than the problem it tries to solve.

Most of Europeans do. You might not care in the moment but you will care if you know how these profiles are used, sold and resold, ...
Sold to whom and used for what?

If the answer is "to target advertising" then what is the danger?

If the answer is something else, I'm all ears...

It is working. They are getting you willing to oppose your own best interests!
(comment deleted)
I and I alone will decide my best interests.
Gdpr does not force the banners. It forces to ask for consent before tracking users across sites. This doesn't have to be a banner and it doesn't have to be if you only use technical cookies (login, session, ..)

You only need consent if you include Google analytics or ads or a similar platform. Those platforms push the banners on people, pretending that those are needed.

The reason you see the banners everywhere is that a huge number of sites integrate these spy services.

The amount of time the EU has taken away from internet users with this insane policy is ridiculous. Yes, everyone in the fucking EU knows what a cookie is now. I can't believe I have to waste 3-5 seconds of my life on most website visits clicking a box. But obviously sitting in an office in Brussels making an actual calculations of the years you take away from people is not something you do.
Actually no one around me does know, which shows just how misguided the law is.
Don't blame the regulation, blame everyone who is trying to get you to click the consent button.

Cookies are a simple yes/no question, with the default answer being no. If everyone did what's in the users' best interests, it would be a non-issue.

you need session tokens to do useful things on WWW. why is the default no? i want my default to be yes.
GDPR only needs a cookie warning if it's used for tracking.
Technical cookies don't need consent.
So how do you store user information then? Like logins? Sessions? Also rely on cookies. Browser fingerprinting? Great - then you've switched one problem for another.

This entire EU regulation is a non solution to a not really existing problem. Yes, third party advertisers use cookies to track you. But they can build technologies to use something else. In the meantime you are a) breaking the internet b) wasting hours of each EU citizens time every year.

(comment deleted)
Those are functional cookies, which can be placed without asking for consent. A site that just removes tracking and advertising does not need a cookie consent warning.

They do not ask "can I place cookies"; they ask "Can my third-party trackers and advertisers place markers on your system so that your activity can be tracked across this and other websites".

Don't stare yourself blind on the poorly chosen wording. It's not the "cookie law" either, it's the General Data Protection Regulation. It's not about cookies, it's about regaining control over your personal data, your online behaviour, etc.

Those are all allowed without explicit consent - it's right in the regulation. What isn't allowed without consent is all of the tracking and data-sharing nonsense that isn't actually required for the website to function.
Theoretically. Practically almost all websites need third party cookies to use any decent analytics platform (most often GA). So the end result is still that 100% of websites need cookie consent.
You don't need an analytics platform for a login. You also don't need to fingerprint my browser.
There are also self-hosted alternatives so no third-party, or even cookie-less tracking. Something like: https://usertrack.net/
Matomo is my user tracking of choice, it honors DNT by default and is self-hostable or can be run as a hosted service.

Matomo was formerly known as Piwik

Matomo is great and it's nice that it's open source. One advantage of userTrack, which is also self-hosted, is that you get heatmaps and session recordings at no extra cost, which on Matomo cost from 200eur/year.
Just because you can't be arsed doing the research and want to give your users a poor user experience instead doesn't mean alternatives don't exist.
Selling user behavior data to google in exchange for free analytic is exactly one of those markets which GDPR want to turn from being invisible for the persons whose behavior data get sold to visible.

If a hospital would in secret sell my medical records to drug companies in order to get free medical supplies I would object on several grounds. First because they are doing it without telling me. Second because its not their data to sell. Third because it create an unfair market where drug companies who are more ethical get out competed.

This is exactly the spirit of the GDPR. You know your data won't turn up in some completely unrelated place because of a previous business transaction.
No website needs GA. You choose to have it for whatever reason but there's not ever a need to use GA. There are many less intrusive ways to father statistics than to sell your users to Google.
There is definitely a need for online analytics. Analytics are as important to me as crash reports.

* It helps me focus on the content my users need the most, and see what triggers donations.

* It helps me catch and diagnose traffic dips, and react to them.

* It helps me catch and diagnose unexpected issues. For instance, caching changes broke a component that accounts for 30% of my revenue. It would have stayed broken for a whole month if I didn't see the dip in events.

I will replace Google Analytics soon, but even as a tech-savvy person, it's a dreadful task. Google Analytics is free, simple, and incredibly reliable. Setting up your own self-hosted alternative, or paying a monthly fee for an alternative is a lot less desirable.

Yes I absolutely agree it can be useful.anf satisfying to see analytics. But it also means you send your users' data to another place where you know it will be recycled etc.

There are alternatives but as you say sadly none are as easy - probably because none have as much budget behind them. I see a number of comparison articles for gdpr compliant analytics, so it seems to have become its own market of sorts.

I have opted myself out of most Google services due to the intrusive nature, I wouldn't want to impose it on my site visitors (but I also have no need to monetize, so maybe a different ballpark).

If you want people to do the right thing, it has to be easy, or it has to pay off. GDPR is incredibly hard, and it's costly.

Just knowing what I need to do requires me to wear my lawyer hat. Actually doing it requires me to wear my developer hat, or to pay other people a monthly fee.

I do this because I swore to do the right thing [1], and because I have a lot of time on my hands. I can't reasonably expect amateur bloggers to do the same. It's an unreasonable burden.

1. https://allaboutberlin.com/impressum#content-policy

Well, maybe legislation like GDPR will incentivize Google to build a less intrusive analytics suite. Or force the industry to innovate to create a new form of analytics.
Get familiar with the regulation before posting.

Explicitely allowed:

* Cookies for login/session

* Cookies for shopping carts

* Cookies for interface personnalisation (language, etc.)

* Cookies for load balancing

* Cookies to retain user choice regarding cookies

And quite a few other.

You're really misunderstanding the GDPR. Cookies are not mentioned anywhere in the law and it's actually really simple to understand:

1. You can do whatever you need to do to provide the service you're providing. (login cookies, sessions, store their email address, whatever).

2. If you want to process, store, and sell any other user data, you need to ask them first.

So for example if you want to send 100 advertising companies personal data about your users, you need to ask for consent and allow them to decline without restricting their access to you service.

What technology you use to track users is irrelevant, it can be fingerprinting or cookies or anything else.

The only reason why you think the law is bad is because companies are frantically trying to work around it, trying to interpret it in unintended ways to not impact their data tracking ways, and trying to make users hate the law instead of them.

Well, this is a little more complicated, because the cookie issue stems not from the GDPR but from ePrivacy.

This directive explicitely targets reading/writing into the user terminal without autorisation, hence the application to cookies.

Edit: removed a post, that was not explicative enough.

But the articulation is: ePrivacy says you need to consent to write non-essential trackers. GDPR defines how you can obtain the consent. So both laws take part in this ruling.

you blame the law trying to protect you rather than the sites trying to take advantage of you? interesting perspective.

I 100% blame the people running the sites and whenever possible just close pages that come up with all this crap - if you are not doing anything dodgey there is basically nothing to get consent for.

How is basic analytics “dodgey”?
Or, maybe they're balancing it with the amount of money/time you spend buying stuff you didn't really need/shopping. It's probably not illegal to have someone follow you to see where you shop, eat, work and sleep, but if a company could deploy one person to follow you 24/7 and report back for basically for free without telling you, there's a line crossed.

Also, besides browsing news/Reddit/shopping, where do you see the GDPR prompt? Banks, AWS, GCP, don't use tracking cookies, so how many "years" of productive work are really being taken away? Sure, its a barrier to shopping which also boosts the economy, but why does Nissan they need to know I just bought a power inverter or visited Tesla if they deliver a solid car on their own merits?

> everyone in the fucking EU knows what a cookie is now

No, they really, really don't.

Can't they require a HTTP header that I would manage in my browser?
We had one. It didn't work. DNT: 1
I don't see any mention of that header in any law, nor any court resolution regarding that header. If that does not exist, we did not try.
Laws are not written around protocols. The GDPR is not HTTP-, Web- or Internet-specific.
Seems like we've uncovered the root cause of failure; besides, isn't the concept of cookies a part of the HTTP protocol?
One of my favorite bookmarklets to remove cookie notifications or other obnoxious overlays:

    javascript:(function(){(function () {var i, elements = document.querySelectorAll('body *');for (i = 0; i < elements.length; i++) {if (getComputedStyle(elements[i]).position === 'fixed') {elements[i].parentNode.removeChild(elements[i]);}}})();document.querySelector('body').style.setProperty('overflow','auto','important'); document.querySelector('html').style.setProperty('overflow','auto','important');})()
I'd really like to see an addon that just blocks the css overflow attribute. I've only ever seen it used by websites that try to stop people who are blocking their giant modal popups from scrolling.

It might be that I'm dumb and can't figure out how to add a ublock/umatrix rule to block it, but I'd love a single purpose addon that just deletes "overflow:hidden" in all cases.

document.querySelectorAll('*').forEach(e => e.style.overflow = 'unset')
Nice, I'll keep that as a bookmarket, saves me rooting around in the inspector!
May also need to add others like e.style.overflowY
I think you mean position: fixed or sticky? Overflow controls what happens when the contents of a bounding box exceed it's allowed size, which is usually to hide or make the box scrollable.
'overflow: hidden' is often used to make the content of a page unscrollable on less technically adept news sites where the content is still present on the page.
many sites use overflow hidden on body to disable scrolling until you close the popup
Nah, doing this would also break things like carousels/slideshows too, as well as menus that slide in from off screen.

And while it's rarer than those, I've definitely also seen page components which show a preview of the content until you click on them, then expand to show everything else. Those would break as well.

So while you'd certainly block modal popups that prevent scrolling, you'd also break a bunch of things on other sites that use the overflow property for more legitimate reasons.

I prefer carousels and slideshows "broken", so I can use my browsers fast built in scroll rather than the visible slow javascript one. This falls under the category of "stop fucking with my scrollbar", a message I wish I could write on enough cakes to send one to every webdev on the planet.

The slide out menus would be a shame, but I'd give that up to prevent it's rampant abuse everywhere else.

It does not work with Techcrunch, or yahoo/Oath websites, which just do this at the HTTP level.
This is run in your browser after the page content downloads and renders. It doesn't matter what tricks the server does.
The page does not contain the content. If you don't have the proper cookie, it redirects to a separate consent page; it looks like it's a popup, but the page has no content. It does not matter how much you massage the DOM or CSS: there's nothing below the "popup".
Ah, I see what you mean. Yeah, that wouldn't apply here.

It's likely that simply setting a particular cookie with a dummy value would bypass this.

Washington Post's paywall has a fun variant on this where not only does it omit the content, it changes the current URL so you can't reopen it in another browser or share it with someone. It's exciting seeing how creative services will get when they're trying to get you to give away your data and/or money for something you can't see.
Not to worry, I had a paid subscription and they still tried to track me constantly with 3rd party cookies on top of being able to track me from being logged in (and paying over a hundred dollars a year for the privilege).

Just use NPR and donate the amount you'd willingly pay for the paper to your local station.

> It doesn't matter what tricks the server does.

The server doesn't serve you the content until you accept... so it does matter what the server does.

Deleting everything with position: fixed is bad idea jeans!
No, it's not. The vast majority of sites that use it are putting bars across the whole screen to permanently display something that really doesn't need to stick around the whole time I'm trying to read the real content.
(comment deleted)
I've been using a similar bookmarklet for years now, and I have never seen any 'proper' content deleted by it. The fixed elements of a webpage are overwhelmingly likely to be useless and annoying wastes of space.
They can be menus. It's fine to make the menu scroll, but deleting it may not always be what you want.
In the very rare case that I want to use the menu on a page I'm reading (rather than an app I'm interacting with) I just refresh the page.
Tell me a legitimate use-case for position:fixed on a website. Not a web app, a web site.
How does your blocker know which URLs you are visiting are "web apps" and which are "web sites"?

I don't know which this is (or where the line is), but here's my latest project at my day job, where we used `position: sticky` for a sort of control bar, that I think worked out fairly well. (There are still some UI issues, but I think fewer than most of our peers trying to implement similar functionality).

https://digital.sciencehistory.org/works/4j03d097t

Switch to "transcript" tag, scroll around, click on timecodes to listen to that part of recording, etc.

It's a bookmarklet, which means it only runs when you ask it to, so I don't think it really needs to know the difference between a web app and a web site?
Ah, sure, that makes sense.

(But can someone give me the personal satisfaction of agreeing the project I just finished made a legit and cool use of position sticky, haha).

Good job! Keep building things.
There's a limited number of web apps that I use. That changes rarely and they can be whitelisted. E.g. I can assign some privileges to Google Docs or something like that, but it's perfectly reasonable to treat all random web links to new sites as "not-a-web-app".
Off the top of my head, the easiest one to think of is a shopping cart. A few e-commerce platforms I know of (Squarespace, some Shopify plug-ins, etc) utilize a fixed, floating widget for the cart.
navigational elements like menus or app bars are often fixed to the top. If you plan to actually navigate to different pages on the website, you've removed your ability to do that.

It's also possible that the creator of the site did some weird stuff and the entire body has fixed positioning for some weird reason. You can't predict how people will use innocuous CSS rules, and randomly deleting elements just because they have a certain style is easy but wildly imprecise. Seems better to just set everything with position: fixed to be position: static and unset any overflow rules.

The compose email box in a webmail client, like the one Gmail displays in the bottom right corner.

Alternatively, you can put user options there too, like a sort of floating toolbar. Sites like Medium do this in their WYSIWYG editor, and some of my own sites do this to display such options to logged in users.

Oh, and media players you might want to keep open as you scroll down the page/through the site. YouTube has a miniplayer option for just this, and a site with a music jukebox might want to use the same thing there too.

And yes, those mini carts you see on ecommerce websites when you add a product to your basket.

>> Not a web app, a web site.

> webmail client

> WYSIWYG editor

> media players

So did GP edit their comment, or did you ignore half of it?

Well, your web app vs web site distinction is very arbitrary. For example, imagine if it happened to be "it's a web app if it can benefit from position:fixed". Then your input isn't going to be very useful here.

Also, your accusation isn't warranted. Just because someone doesn't know your arbitrary distinction between web app vs web site doesn't mean they ignored the person above them.

I don't think most people would consider HN suddenly a web app if it upgraded its <textarea> into a wysiwyg markdown box.

> Well, your web app vs web site distinction is very arbitrary.

It's subjective. Your assertion that it's arbitrary is unfounded; you're clearly not even trying to imagine what a reasonable definition of that distinction might be.

> I don't think most people would consider HN suddenly a web app if it upgraded its <textarea> into a wysiwyg markdown box.

I'm pretty sure HN wouldn't need to abuse position:fixed to implement a WYSIWYG comment editor.

this cookie consent stuff does absolutely nothing but annoy people
Not because of the law but because those pushing tracking and designing the banners intentionally make them intrusjve. Purely technical cookies (eg login, spam protection) don't need a consent by the user.
Damn I hate those cookie pop-ups so much. Bullshit.
Somewhat ironically a consent wall is exactly what TechCrunch presents to an EU visitor the first time, and there's no opting out; only way to get past the consent dialog is to consent.

I know this especially well because I automatically clear all browsing data each time I close my browser, and techcrunch.com is one of the domains I avoid on HN because of the more annoying "welcome" on any page. (edit: +n)

Same here. Isn't this against GDPR regulations? I thought that sites must give you the option to not provide consent and still visit the site.
Can a website be compelled to provide its content? I can see the POV where "We cannot serve you unless you agree to certain rules."
They maintain the right to refuse service but my uneducated opinion is that it could be penned as discrimination given the circumstances
Surely they can require an account for all users. Of course then no one would register because who has time for that.
I may be mistaken, but I think it falls under some sort of discrimination ruling? I.e.: you can't discriminate against those users who don't want to give consent.
That seems like a weird choice. I mean, it makes sense to ban discrimination based on traits that people have no control of (e.g. all the protected classes in the US), but a refusal of consent is a behavior choice, not an unavoidable trait.

I wonder where things are heading.

Data protection laws would be meaningless if you made consent a condition of visiting the site.
But we've built a world where a large fraction of the population has [apparently] willingly traded their privacy for free product. I completely support making this trade transparent, so people can make an explicit choice, but what's the justification in making it one-sided and requiring companies to provide their service for free?
But is there any company that survives solely by collecting and trafficking personal data? Facebook and Google don't count, they make money selling ads.

If there is such a company I'm completely ok with them not being viable anymore.

i guess we'll find out if they really are willing, given a proper choice, and not just forced to click "accept" like in some perverse skinner box.

i don't know where all the misinformation comes from, but companies don't need to provide their services for free. they can still show ads - just untargeted ones. or is ads = tracking nowadays?

They can even show ads that are related to the content on the web page! Are you on a page that is about breeds of dogs you might want to adopt? Why not buy a Halti collar, and a package of dog training sessions, and donate to the RSPCA?

This is what Google's advertising product started out as, basically automated magazine advertising at scale; it turned into this perverse tracking system once everyone was hooked onto free web content and nobody could get away from it.

>forced to click "accept" like in some perverse skinner box.

Or you can just leave the website. It's not like you lose anything by not going to techcrunch, let alone lose your job or anything serious.

Targeted ads make the website a lot more money.

Data protection laws would still limit what companies could do with the data after they obtained it, even if they required that data to access the site.
Why? If a company is transparent about what they're collecting and how it's used, I don't see how there is anything wrong with them refusing you service if you refuse to accept their terms. Websites and the businesses that run them aren't public property that you have a right to use. The problem comes when they secretly gather and exploit your information.
All regulation against corporations limits the corporation’s rights, but it’s necessary as it keeps them in check.
So all regulations are necessary because it keeps corporations in check? I guess that means there is no room for bad regulations with that tautological definition.
That’s not what I said. There’s good and bad regulation. Things aren’t black and white; a truly free market with no government intervention at all will harm consumers, and governments with a hand in everything will harm consumers too.
"All regulation against corporations limits the corporation’s rights, but it’s necessary as it keeps them in check."

Your original statement made it sound as if you were saying all regulation is justified. Thanks for the primer on free-market/regulatory trade-offs though I never realized there was room for nuance.

I could see why you would think that; I could’ve worded it better.
It's not really that weird - it's almost the whole point!

The idea of GDPR generally is to prevent some undesirable behaviour (i.e. indiscriminately vacuuming up all the personal data you can and being careless with it), in part by establishing a regulation that says "you need to have good reasons if you want to process personal data". This means we have to define, among other things, what "good reasons" are.

In GDPR terms this would be the "lawful basis" for processing data. There are a bunch of these, including "you gave explicit consent", "it is a legal requirement", and "we have a legitimate interest in doing so".

The thing is, if "consent" is the basis on which you are processing data, then you cannot reasonably refuse service to someone who witholds consent – because that action would itself demonstrate that consent is not the lawful basis you are using. It's not a ban on discrimination, but the fact that your argument for why you need to process personal data would no longer be valid.

> The thing is, if "consent" is the basis on which you are processing data, then you cannot reasonably refuse service to someone who witholds consent – because that action would itself demonstrate that consent is not the lawful basis you are using. It's not a ban on discrimination, but the fact that your argument for why you need to process personal data would no longer be valid.

This seems backward to me - by allowing access to users who don't consent, you are implying that consent to track is not at all necessary to your functioning, and thus doing the tracking at all is now for invalid reasons... yea?

This is all obviously simplified, but “consent” and “necessary to functioning” are two different justifications for processing data. The GDPR does not require consent; it requires some kind of justification—a “lawful basis”— for processing, and “consent” is just one of those.

Think of it like this - if you want to process some personal data, regulations now oblige you to have a justification for doing so. That’s what GDPR calls a “lawful basis”, and there are six of them that can be used:

- Contract – "processing your data is required to offer or fulfil a contract with you"

- Consent – "we asked to process your data and you explicitly said it was okay"

- Legal obligation – "we need to process your data to comply with the law"

- Vital interest – "you were likely to die unless we processed this data"

- Public task – "we need to process your data to perform some kind of officially sanctioned public service"

- Legitimate interest – "we need to process this data for some other legitimate reason and promise that we won't do anything unexpected or unreasonable with it"

So, if you're running a website and you want to collect visitor data, you now need to justify why you are doing so, using one of these reasons. Each of these reasons outlines when they can be used, and what conditions apply to their use as a justification.

If you were running e.g. an insurance comparison site, you'd use the "contract" basis – processing a subject's data is necessary to fulfil some kind of service. A separate "consent" is not required. If you wanted to log requests to your site so you can detect intrusion attempts, you have a "legitimate interest" basis and again "consent" is not required – instead, you need to ensure you have evaluated the data you collect and demonstrated why it is required to fulfil that function.

To the specific point you raised – if your website legitimately needs to process data for reasons that are "necessary to your functioning", then you do not need consent to do so. You do need to document why this is the case, communicate it to users, provide adequate safeguards etc. but don't need to obtain an explicit consent. If you aren't able to use this approach, you still need a justification for your processing; if you want to use "explicit consent" as your reason, then that comes with the requirement that the consent is freely-given, explicitly opt-in, and is not a precondition for accessing the service.

If you decided to make "consent" a requirement to access a service, you would inherently be demonstrating that you did not meet the requirements for making that your "lawful basis" for processing.

Sorry that came out quite long, but I think it's important that anybody working with personal data understands these ideas!

I appreciate this response! I know I'm super late, but I learned a lot here, and it helped me out. :-)

Thanks!

In the US, "discrimination" only applies to protected classes. This includes sex. race, religion, nationality, skin color, age, or disability status. Unless one's stance on accepting cookies is enshrined in a widely acknowledged and mainstream religious text I'm not sure it would apply.

Even sexual orientation isn't really protected in that way FWIW, which is why a lot of anti-discrimination rulings surrounding LGBT rights can often feel a bit convoluted.

You can charge money, you can have special rules outside of the scope of the GDPR... what you cannot do is make people’s personal data the price for content. Under the GDPR personal data is non negotiable.
Thanks, this makes sense.

Edit: I'm surprised that elondaits's explanation isn't at the top of my thread. It makes clear that "exchanging your data as payment for 'free' services" is the target of GDPR and seems to me that's the only sensible explanation. Is someone willing to refute their explanation?

Yeah, I guess it could be thought of like laws against prostitution... you can give your data away for free, but you can't give it in return for something.
Sure, GDPR lets you give your data away in return for something. But, according to elondaits, that can't be the only price for something.
That seems like a tricky rule.. what if I said “you can access this with either your data or $1000”
What makes that "tricky"? If it costs somewhere near $1,000 to provide the service, why not offer that price as the alternative?
Price for a service isn't guided by how expensive the service is to offer, but by what the market will pay.

In this case, however, I was using it as an example of setting a price you don't expect to be paid... you want everyone to pay with their data, but you are required by law to offer an alternative payment form... so you set the price for the alternative to so high no one pays it.

I suppose this will mean the end of free content in the EU.
The question is not whether one is compelled to provide their content, the question is what is required for the content to be provided.

It probably wouldn't surprise you that it is unlawful to require visitors to sacrifice a kitten to access a site, would it?

Let's say I have a club, you have to do certain things to gain membership to my club if you don't do those things you can't get in. How is that any different? The club should be able to set the rules as it deems fit.
The club still has to follow the law. You can't have a "murder club" and you can't have a "I don't follow the GDPR club".
My point was about meeting requirements to gain access. Not about following the law. However, would it be against the law to have a club that is only open to ex-cons?

I understand that the GDPR makes it illegal to make it necessary to consent to give up your data before gaining entry. I was just questioning that portion of the law. It would be a pointless conversation to question points of a law and have someone respond back "but that is the law".

> However, would it be against the law to have a club that is only open to ex-cons?

Actually, in some countries, outside narrow restricted cases like support groups, yes; criminal record is a protected class in some cases.

However, being an ex-con isn't illegal. Having a club where you required members to consent to a crime being committed against them, which is more analogous here, wouldn't be legal.

It's only analogous because this law makes that act illegal if you change the law then it's magically legal again.
... Well, yes. If you legalise murder, murder is legal. I’m not really sure what your point is.
The law in question is the GPDR. I’m not sure what your point is. If you change the law to allow people to choose to consent or not see content then it is no longer illegal. If we can’t have that discussion because it is currently illegal then I guess it’s pointless.
I mean, that change _could_ be made, but why on earth _would_ it be made? It would largely defeat this portion of the GDPR. Who actually wants that change beyond advertising companies?
Why would it not be made? Each person has agency in the decision to share their data. If it is indeed _my_ data then _I_ should be able to choose to sell it or move on. Forcing a companies hand, I predict, will just move more content behind a paywall, decrease access to legitimate information and further fringe conspiracies.
You can sell your data for cash.

But this thing where big sites say "data or else" isn't a proper negotiation. It's a contract of adhesion, and those get regulated for good reason.

If things get moved behind expensive paywalls, that's a shame. But if there is more truely free access, or content behind paywalls that charge as much as an ad is worth, that can be a net benefit.

> The club should be able to set the rules as it deems fit.

That's only true under ideological assumptions that are far from universal. I think most people would be OK with society putting reasonably-justified restrictions on the kinds of rules the club can set.

Sure, I'm not a psychopath, I understand the usefulness of laws. I just don't think the restriction in question is reasonable. To me, it seems like a choice an individual should make for themselves: access or data?
That would create perverse incentives and make the web a worse place.

The point of the law is quite clear: allowing people to use the web without having anyone force them into giving away personal information.

Sure, some companies won't be able to be creepy to users, but that was an acceptable tradeoff to the law.

In theory, in practice users consent and move on. You’ve just added an annoying extra step on every site. Victory?
Collecting data and being annoying are entirely optional and a choice made by companies. The law is a still a partial victory for privacy.
It may be optional but it seems to be the standard rather than the exception.

I just don't see people really caring about their privacy. When given the choice between convenience and privacy people generally choose convenience. As someone who doesn't have a dog in this fight, I just end up annoyed.

Just because something is a standard doesn't mean it's right. It also doesn't mean the law shouldn't discourage it.

And just because people don't care doesn't mean a company is automatically allowed to track people.

If the law were followed by the letter and companies weren't using dark patterns or ambiguous marketing-speak to convince people to allow cookies, only people with pro-tracking stances would allow it.

Or users decline and move on, since decline is supposed to be just as easy as consent.
They could, I just don't personally see that as a clear cut win for the web.
If UX is important, then don't track users. There's no consent required if you're not tracking.
Only if they're _legal_ rules. Otherwise you get into unconscionable contract land.
Sure, but killing a kitten is illegal, and accepting cookies isn't. They aren't asking for someone to commit a crime.

I assume it would be legal to charge money for reading the content... could they require that you create an account?

The whole point of the article (and of GDPR) is that accepting non-essential tracking cookies without user consent is illegal.
Yeah, some other comments made that point more clearly. I think I understand better (it seems to be similar to anti-prostitution laws, where it is illegal to trade something you can give for free)

It does seem to lead to some strange loopholes though, like requiring an account for access.

> It does seem to lead to some strange loopholes though, like requiring an account for access.

That's false.

Requiring an account or even payment for access does not replace or imply consent of any kind, and all rules still apply even if the user is still logged in or paying.

In fact, it's probably more complicated for logged-in users since you have to comply to requirements of data-scrubbing, removing/anonymising logins/emails/passwords from your database upon request, etc.

How could you anonymize an email address for an account? You are going to need it to reset passwords
You have to do it upon request.

Meaning: more code that you have to write and time you have to spend.

Determining whether a user has "consented" is impossible, as evidenced by this thread, so the law is folly.
In a highly technical sense, it is maybe not. In a legal sense, which applies human common sense when necessary, it absolutely is.
it is easy to determine if a user has consented. but if you go out of your way to mix in “i consented” and “i want this box to stop annoying me as quickly as possible” into one bucket, the fact that you have trouble separating them is a problem you created
The idea is that if this is how it is presented, you can tell them you agree and they still have no permission.
Yes, it's also against the rules to auto select all of the trackers as accepted but many sites still do this. By default everything should be deselected and you need to accept all of them to allow tracking.

I've found that sites are slowly changing over to this method but it will probably take a big court case for the likes of TechCrunch to change.

I thought they could have them all selected as long as there was some "de-select all" button?

Edit: Never mind, I guess that would violate Article 7's "It shall be as easy to withdraw as to give consent."

> Edit: Never mind, I guess that would violate Article 7's "It shall be as easy to withdraw as to give consent."

Wait--that exists? Then Oath _definitely_ is violating GDPR. Continuing without consent is basically impossible on their websites!

Yes, restricting access when users do not consent to data collection is generally illegal. There are exceptions, like in the case of fraud detection, but restricting access to this article is not justified.

Companies like Verizon can get away with this abuse because we're all too lazy to report them in an instant.

Verizon has offices in the United Kingdom, Ireland, Belgium and the Czech Republic, but you can also use the online form of your country to report them in the EU.

File a complaint against Verizon and TechCrunch here:

UK: https://ico.org.uk/make-a-complaint/your-personal-informatio...

Ireland: https://www.dataprotection.ie/en/individuals/raising-concern...

(comment deleted)
Do EU laws apply when the target user base of a website is non-EU customers? e.g. if Verizon Wireless only operates in the US, do they have to comply with EU laws despite them not attempting to localize content for EU users (aka they get shown what US users get shown)?
The law only applies within the EU.

However, EU GDPR legislation permits the EU to do whatever it can go after noncompliant sites in any jurisdiction. The legislation also requires all new trade agreements between the EU and other countries to be GDPR-compliant. The legislation permits them to go after "noncompliant" sites for 4% of worldwide revenue. So it's quite brutally extraterritorial by design.

The interpretation of the regulation does not require large fines for small infractions by non-EU-focused sites, and indeed the regulators presently work to be eminently reasonable about such things, but the lines are fuzzy and the interpretation could change without further legislation — and even if you could defend yourself against such a case, it may be ruinous anyway.

The GDPR applies to personal data of all EU citizens and permanent residents. Even a tourist in the US who browses a website which is only available in the US.

But if the company has no offices, bank accounts or other business presence in the EU, there is no practical way to enforce it.

> Yes, restricting access when users do not consent to data collection is generally illegal.

So, if sites can't provide users with anything in return for consenting, doesn't that make consenting not a valid contract? Or does the EU not require a contract to have an exchange of value?

Not any data, personal data. You can't collect personal data unless is necessary to the service you want to offer, and only after the user gave its consent
I doubt that is the intent, content can be behind paywalls so I see cookie acceptance as a form of paywall. if they are claiming otherwise you get stuck with only paid content.

So can they do previews only without running afoul of the law and they specifying cookies for full access?

Consent can't be a form of paywall under GDPR. GDPR defines that valid consent must be freely given, and explicitly mentions that if providing service is conditional on providing consent then that is not freely given consent.

Consent that's not freely given is not valid legal basis for processing personal data according to GDPR. If users clicked "I agree" under these circumstances, then that "agreement" click is worthless, it does not grant any extra permission that the website owner did not already have.

In essence, GDPR makes that consent to processing private data is not for sale, it's not something you can legally trade away in a contract for some money or benefit.

It's valid to have informative click-through walls - to gather assertions that the user has been informed that you're going to do stuff with their data because you have a legal basis to do it even if they don't opt-in; but a click-through wall fundamentally can not be a mechanism of obtaining valid consent to some processing where consent is needed. GDPR consent must be opt-in, fully informed, and freely given - something that some of your users intentionally choose because they want to. If you expect all users to "consent" to some processing then that's impossible - you would rather have to argue that the "legitimate need" or some other part of GDPR allows you to process that data without consent. You can have all users acknowledge something, but you can't have all users consent to something, that's not how opt-in consent works.

I'm not sure that is correct.

Several Austrian and German Newspapers present me with a clear popup choice "Accept Tracking" or "Pay Money"

The Washington post does the same.

Websites are not required to give you their content for free.

Websites are not required to give their content for free - a "Pay money or go away" popup is completely valid.

But websites are not allowed to track people who don't really want to be tracked. If the choice was "accept tracking or go away" then clicking "accept tracking" does not give them a legally valid consent to track me. There's nothing illegal about that popup as such, it's the tracking without consent that would be a violation.

Can you give me a link to some of these Austrian and German newspapers so that I can try out their approval pipeline? If that's really the case (all kinds of minor nuances may change the situation) then my intent is to click "accept", followed by a GDPR request of how they're using my data, and if their response indicates "consent" as the basis for processing something, then I'll submit a complaint to my local DPA (which may get resolved by the end of year..)

My point is that some EU companies still doing X is not a sign that X is permitted - often all it means that GDPR is not enforced for them yet. I see a lot of local practices that are still happening despite our local DPA clearly stating that this is not 'kosher' - it takes a lot of time to make all industries comply, there have been a lot of changes (mostly for the mass market companies handling offline customers, everything from hospitals to the rental markets to supermarket loyalty cards) but there's a lot of noncompliance out there. Every now and then another subindustry gets investigated (probably prioritized by the number of complaints) and after some action gets taken, all the other local companies in that industry tidy up somewhat.

> Several Austrian and German Newspapers present me with a clear popup choice "Accept Tracking" or "Pay Money"

I'we only seen "Accept ads" or "Pay Money", which makes it bit different.

There are also non-tracking ads, and you can consent to be tracked even if you pay money.

Consent can't be a form of paywall under GDPR. GDPR defines that valid consent must be freely given, and explicitly mentions that if providing service is conditional on providing consent then that is not freely given consent.

Which is absurd. Did I not "freely give" $20 when I bought a pizza because if I had been able to get the pizza without paying I would have?

GDPR consent must be opt-in, fully informed, and freely given - something that some of your users intentionally choose because they want to.

And there's no reason for customers to opt-in when you're not allowed to offer anything in exchange. I would respect the GDPR a lot more if it directly banned "unnecessary" data collection, rather than going through these silly rituals of companies using dark patterns to try to claim that users agreed.

"And there's no reason for customers to opt-in when you're not allowed to offer anything in exchange." is kind of the point - the goal of GDPR is to stop the unwanted invasions of privacy, not extract some additional compensation from companies in exchange for being permitted to continue all these things. It's designed so that it would not be possible for a standard privacy-violating website to become GDPR compliant by writing some legalese or showing some popups or offering some discounts in exchange, the only way for the industry to become compliant should be by actual change in behavior so that there's much less tracking and violating the user's privacy.

The valid reasons for customers to opt-in are in scenarios where they desire the result to be customised according to that private data - where the customer wants you to use that data because that actual use benefits them. E.g. a dating site user might want you to use all kinds of private data for the purposes of finding better date matches. And the same user might not want you to use that same data for any other purposes or share it with third parties. And the intended result of GDPR (as the enforcement slowly changes the common practices) is a world where these user's privacy preferences are actually respected.

So the consent question comes down to essentially "are the users gifting you this data because they want you to have it?" - if so, knock yourself out, everyone's happy. But any selling or trading that consent is not binding or enforceable.

The most effective analogy that I can think of is sexual consent.

Like, if I sign a contract saying "You can fuck my arse and I get 5 euros for that" then that by itself does not count as valid consent, that's a nonenforceable term, it's null and void. At every future point I'm free to not have my arse fucked unless I really want to (or there's some other legal basis, IDK, a warrant for a cavity search), that's an unalienable right, it's not something that I can sign away in a contract, and doing so without my actual consent would be rape no matter what I signed in the contract.

In the exact same manner, under GDPR if I sign a contract saying "You can violate my privacy and I get 5 euros for that" then that by itself does not count as valid consent, that's a nonenforceable term, it's null and void. At every future point I'm free to not have my privacy violated unless I want to (or there's some other legal basis), that's an unalienable right, it's not something that I can sign away in a contract, and doing so without my actual consent would be a privacy rights violation despite the contract.

> you get stuck with only paid content.

That’s fine, isn’t it? They want money, I want information. If the information is worth it, I pay.

> If the information is worth it, I pay.

So it's up to you to decide if the information is worthy? After already seeing that information? And you promise you will forget that information after not liking it and not paying for it?

You can ask for payment before showing the information.
I see how it could be read like this, but this is not what I meant to imply.

It's of course classic upfront payment. I realize this only works for larger articles. For news feeds a subscription would probably work better.

This will probably lead to market consolidation over time, but that's capitalism.

Sure, but large portions of the internet do it this way. They'd just stop serving EU users if it comes down to it.
What if the law said that the company has to serve EU users the same way it serves non-EU users, and to do otherwise would be considered an act of trade war by a private US corporation against the EU (the same as if e.g. a US private defense contractor, hired by some other power, hacked into EU corporations and caused property damage against them)—basically making the whole thing into a “diplomatic incident” each time it happened?

Heck, what if they said that everyone doing things their way is their condition on staying in WIPO, and if a country can’t bring its corporations into line, then the EU will declare all WIPO IP-right assertions originating from that country null and void within the EU, free for any EU corporation to exploit?

I don't think anyone should be forced to service foreign nations. As a citizen of a non EU country, I'd take issue with being compelled to work with them.

EU would effectively be declaring war on a significant percentage of the world. They have no jurisdiction beyond their borders.

Taking your ball and going home, while not the best for business, should be an option.

I mean, you're not forced to service foreign nations. But if you are trading with foreign nations, then you've got to realize that that is fundamentally a voluntary relationship—trade doesn't exist by default, it is created by a spirit of mutual cooperation, on a foundation of compromise. If that spirit of cooperation and foundation of compromise don't exist, then the trade cannot exist.

Or, to put that another way: WIPO itself is something the US "forced" on the rest of the world. But it wasn't actually force; it was just a condition on other nations continuing to trade with the US.

You mean like EU companies are not forced to stop trading with Iran, it was their free decision.
Yes, I believe Iran sanctions function similarly to WIPO, the US requires people to follow certain rules if they want to do business with the US.
As I said, taking your ball and going home should be an option. That implies NOT trading with EU.

As per wiktionary.org: "To cease participating in an activity that has turned to one's disadvantage, especially out of spite, or in a way that prevents others from participating as well."

You are assuming a point I did not make.

Just block EU IP addresses if you want. No-one is forcing you to allow access to any particular country or region.
Doesn't make a difference. If I access your site as a EU citizen through a VPN, then you must follow GDPR.
Honestly I'm not sure about what the outcome is there, has it ever been tested?
An act of trade war? What does that even mean?

Lots of companies won't ship things to certain countries, that doesn't make it a trade war.

Then why didn't they already stopped? They are violating the law.
Because the EU is a dumpster fire when it comes to tech companies (probably not a coincidence). This means that few websites are actually based in the EU. If the EU doesn't like them then they can block the sites.
Well, the US is the lawless West, where anything on a clickthru is legal and binding for in perpetuity... And you also gave up your rights to sue.

One of our very own congresscritters Trey Hollingsworth, put out a survey to make a corporate liability shield making businesses not culpable when people coming back to work die from Covid-19. ( https://www.reddit.com/r/bloomington/comments/gejtlv/treys_l... )

Human rights is a dumpsterfire in the USA.

(Yeah the -1's represent profits before people. Gotta love how there's no refutation about what I say - just STFU modpoints)

It is probably related to the complete lack for jurisdiction in calling the US "lawless" that attracts the downvotes. Most people understand that Saudi Arabian Blasphemy laws mean jack shit if you have no connection their laws can't apply. Making any pretense of validity beyond ability to enforce the laws just makes any making claims utter tools. Just because the other block is an EU nation instead of a backwards monarchy petrostate doesn't change that one bit.
the US is the lawless West, where anything on a clickthru is legal and binding for in perpetuity

Clickthrough agreements being enforceable is an abuse of copyright law, exactly the opposite of "lawless".

The downvotes are no doubt because you've violated the site guidelines with name-calling and flamebait. The damage that does is more important than the value of the information you're adding, so downvotes and flags are correct. It's too bad, because there's the kernel of a good comment there too.

Would you please review https://news.ycombinator.com/newsguidelines.html and use HN as intended? It's not hard if you want to, and you're a good user otherwise. We've had to ask you this many times.

> I thought that sites must give you the option to not provide consent and still visit the site.

What the heck? That seems a bit overbearing.

It's my server. Don't agree to my rules? GTFO. Why should you have the right to ignore my rules and still use my server? That's like having your cake and eating it too.

"Thanks, I don't consent to your monetization scheme but I'll go ahead and use your bandwidth for free."

The GDPR limits your rights insofar. You may find that "overbearing", I find it okay. Your rights end where my rights begin. Where the line is, is debatable, of course.

Remember that the law came only because web site owners took things way too far. Pendulums swing both ways.

Well in that case I disagree where EU has drawn the line, so I'll just not serve EU customers (or if I do, it will not have a free option, only a pay option) and we'll both have all of our rights.
Exactly. Many US newspapers go that route already. I'm fine with that.
The right to not be tracked if you don't want to is (now) a fundamental legal right that overrides any rules you can implement.

It's not that they don't consent to your monetization scheme, is that a monetization scheme that involves tracking people who don't really want to be tracked is illegal as such, you can't have one. You can deny access to whoever you want, but the key point is that if you "threatened" them to deny service if they don't accept, then that does not really indicate that they wanted you to use their data, does it?

You can't say "oh but I gave them some goodies to influence them to click 'Accept'" - nope, if they don't really want to be tracked, then you aren't allowed to do so, the consent is not something that people can trade away in a contract for some content, server time, money, lentil soup or whatever.

Ok, then EU shall not have a free option on any of my services. Pay or GTFO. Harms the poor, IMO, but at least the poor's privacy will be protected from ad companies.
Everyone's privacy will be protected - the same consent restrictions will also apply to your paid customers. Free webservices are not the majority of the world's businesses, a big part of why GDPR was needed is because all the paid online and offline services also traded all their subscriber private data; and with GDPR you can't just have a line in your paid service terms&conditions that allows you to screw their privacy.
Yes, I understand that. However, do you acknowledge that current monetization methods for "free tiers" of services generally involve cookies/tracking? If so, you also acknowledge said free tiers must go away if the service is to operate in EU, correct? If so, wouldn't you agree the EU poor will have access to fewer online services than their USA peers?
> do you acknowledge that current monetization methods for "free tiers" of services generally involve cookies/tracking?

I guess it depends wether you consider free plans to be a loss leader for the paid plans.

If you don't want to operate a free service that is without tracking, then don't. No-one is forcing you to, but you should be aware that you still need to follow the law for paying users too.

I think the whole conclusion of this thread is that "Pay or GTFO" is perfectly acceptable and legal, but "Consent to tracking or GTFO" is not.
Yeah, I agree with you. If people don’t like that a site uses cookies, then don’t visit it and maybe it will naturally go out of business. They shouldn’t be forced to still provide content.

Or not. Personally I have no problem with cookies. Maybe they will just lose traffic from a small fraction of HN users instead of going out of business.

It’s kind of like paywalls. I get annoyed whenever I visit a news website and a paywall pops up, but I just leave the site unless I’m interested in subscribing. If enough people leave instead of paying (i.e. providing something of value in exchange for accessing interesting content), then the publication goes out of business.

Privacy is a consider a basic right in the EU, so no, you cannot operate monetisation schemes that violate it. It would be like having a 'by entering our restaurant you are agreeing to our reduced-hygiene policy' sign at the door. If a business cannot survive with clean hands, then it should not.
> Privacy is a consider a basic right in the EU

Your point definitely makes a lot of sense, but there are many of us who believe that we should be able to make our own decision to give up certain types of privacy in exchange for something of value.

Everything involves some level of risk/reward. Should I not be allowed to skydive because of the increased risk of death? Generally, I think my rights end where others’ rights begin, so I fail to see how sharing or withholding my personal information affects anyone else.

> Generally, I think my rights end where others’ rights begin

So invading someone else's privacy, without their consent, for your own monetary gain, should be your decision, because it's fairer?

> someone else's privacy, without their consent

I didn’t say anything about not getting consent to share personal information. I think almost everyone would agree consent is always necessary.

> we should be able to make our own decision to give up certain types of privacy in exchange for something of value

This is what these laws are all about.

People volunteer personal information because they believe the website will use it with their best interests in mind. There is a well-defined goal and achieving it is the only reason the website even has access to such data. For example, people give their home address to an online store so they can ship orders. Selling this data to marketers so they can spam the consumer's mailbox with advertisements is outside the scope of that goal.

Websites should collect only what's strictly necessary for them to do whatever it is that they do. They should use this data only for this purpose and ideally delete it afterwards.

I do agree with you that you should be able to freely exchange your privacy as you see fit. But the difficulty, as I see it, lies in determining whether the exchange is truly free or coerced by some means. The GDPR takes a strong stance on this (that consent is only freely given if withholding it would have no drawbacks) and it does have false negatives, i.e. situations where the exchange was fair but prevented.

However, there are two reasons why I think this is still reasonable (with 1. being more important):

1. The reality of the current situation is that invasions of privacy come bundled with other services, which you are pressured to use due to external factors. So I believe that the vast majority of cases are modelled well.

2. I see a privacy as similar to herd immunity, in that society benefits if lots of people have it, even if the individual does not profit from it directly. (In particular, it may prevent certain kinds of power from accumulating or centralising.) In these kinds of situations it can be necessary to restrict individual rights to achieve optimality.

"Ok, then EU shall not have a free option on any of my services. Pay or GTFO. Harms the poor, IMO, but at least the poor's privacy will be protected from ad companies."

Sure. Just like I didn't click on the techcrunch link above, I'm sure I'll live without your server as well :)

Great, this is exactly how capitalism should work. You don't like the rules, don't use my service. If I want you to use my service, I'll change the rules.
There won't be many sites you will be able to click on, nor services. No more free email, no more free news, no more free chat forums. Your web will be a lonely place with a very small number of sites you're able to visit without paying.
> It's my server. Don't agree to my rules? GTFO. Why should you have the right to ignore my rules and still use my server? That's like having your cake and eating it too.

It's european society. Don't agree to its rules? Don't try to monetize european citizens. Why should you have the right to ignore their rules and sell their personal information? That's like having your cake and eating it too.

When it comes to TechCrunch's website, there are many more reasons to avoid it besides their cookie wall.
It's bad enough that I consider the site outright malicious and just flag these submissions.
Oh, but you can opt out. You first need to click the other button. Then again. Then you get the list of hundreds of “partners”, for each of which you have to manually figure out how to opt out.

And then, in the end, you undo all your hard work opting out of hundreds of services by having to press the accept button anyway. :-D

/edit: Heh, yea. It’s not just “hundreds”. It is _way more than 1000_ “partners”. Insane.

At some point I just stopped reading sites that make it too hard to opt out. Though I would really like to have a browser that automatically opens links to such sites in incognito mode, accepts the popup for me, and makes sure everything is thoroughly deleted afterward.
I would like an extension that replaces the page with "It's not worth it" so I know not to even try to opt out and just leave.
If you block the domain in umatrix it basically does that. For instance techcrunch redirects me to some "guce.advertising.com" url and umatrix blocks it https://imgur.com/bxGAbiH
I'll look into doing that with uBlock/Privacy Badger, thanks!
Oh, that's too much work. I've been using Cookie AutoDelete for Firefox and I've set it to clear all non-whitelisted cookies a couple of hours after last visit. This way I have to click once if I visit a couple of times a day.
The chrome and firefox extension I made: https://baitblock.app has a feature called tracking resistance. It deletes cookies on websites that you are not logged into automatically
That sounds perfect. Login is the only legitimate use case for persistent cookies that I can think of.
Logins are a common enough use case that browsers should simply support it directly, and drop support for cookies entirely.

There's no reason we can't have sites set an auth token, and send that in under the Authorization header. And then when you want to sign out of a website, you can have a button for that in the browser. The tooling already exists in the HTTP standard, it's just that it's only widely used for server-server communication.

Wouldn't advertisers just use the auth token as a cookie then?
Bingo. "Auth Token" simply becomes "Session ID", and the backend then tracks anything it wants as part of the session.

I don't see much of a solution other than making it a matter of policy, eg. Microsoft's "P3P" header. Otherwise authentication credentials need to be supplied with every request. Not a session id or token as a cookie, but the actual username and password being supplied with every request. Basically the old http basic auth, but with a more modern system to replace it.

I understand the core idea behind the EU's desire, but the fact is that cookies are absolutely required for login sessions, and it's impossible to allow users to opt out. The EU doesn't understand the tech behind the laws they are trying to enforce, and this is where it leads to. Absurdity.

Only if you're logged in and only to the first party server, though.
That requires separate opt-in consent according to GDPR.

GDPR is absolutely not about cookies, it's not about having private information but about uses of it. You may have a legitimate need to collect some data - that auth token for login purposes, the customer's address for delivery, etc. That's fine, it allows you to collect and use that data for that purpose. But it does not mean that you're automatically allowed to use that login token or delivery address you have on your servers for other purposes such as selling or giving it to third party advertisers.

Yes. However, there are some upsides: having an auth token which from the perspective of the browser is limited to auth, makes it more explicit when the browser is passing an auth token to the site: if the browser shows a "Log out" button, then you're providing that auth token--if you didn't log in to a website and suddenly you have the option to log out, that's very obviously weird. Of the perhaps 10 sites I visit on a regular basis, I only even have logins for 3 (email, Reddit, HN) so other sites would be slightly hampered in tracking me.
I can think of several other reasons:

- A/B testing.

- Limiting the number of articles a non-paying user can read per month.

- Persisting form data and shopping cart info. (Not all sites require an account to order stuff from them.)

- Improving recommendations based on what someone has liked or viewed on the site.

As a Firefox user (on Windows) this is not a particularly encouraging prompt x

https://imgz.org/iqHHPwcE-1280.png

Pardon me, but what do you think is wrong with the prompt?
It looks terrible? The Firefox prompt is broken.

It doesn't realise I'm on firefox, so doesn't preferentially serve me a primary focus?

Reddit's even worse, if you visit the site from iOS it asks if you want to open the app 'or continue with Safari', whatever browser app you use.
Similar thing on Android. Doesn't matter what browser you use, it asks you to "continue with Chrome".
With Firefox for Android it shows me continue with Firefox.
i get chrome on firefox/android
Really? I was specific about it because I had an Android phone until a few weeks ago, and didn't experience this.
Personally I just use a Private Browsing window.

Plant all the cookies you like, they'll last about 3 minutes.

I use Vanilla Cookie for Chrome (it deletes all non-whitelisted cookies after some time or after closing the browser), and have been thinking about making a browser extension that just hides all fixed elements and transparent full size elements. The reason for me thinking this, is that nowadays I just accept almost everything, and trust the Valinna cookie to clean up afterwards. What do you think about this?
The first bookmark on my bookmark bar is "Kill floater", and it removes most floating elements on the page. It even works on many sites that hide the page behind a popup. Use it on my iPad all the time.

The bookmarklet:

  javascript:(function()%7B(function%20()%20%7Bvar%20i%2C%20elements%20%3D%20document.querySelectorAll('body%20*')%3Bfor%20(i%20%3D%200%3B%20i%20%3C%20elements.length%3B%20i%2B%2B)%20%7Bif%20(getComputedStyle(elements%5Bi%5D).position%20%3D%3D%3D%20'fixed')%20%7Belements%5Bi%5D.parentNode.removeChild(elements%5Bi%5D)%3B%7D%7D%7D)()%7D)()
Thanks! This will save me a lot of time.
Do you mind prepending the bookmarklet code with two spaces as described here: https://news.ycombinator.com/formatdoc

It's breaking the layout of this entire comment thread for me so I have to scroll horizontally to read all of the comments. Thanks!

I've added two spaces there.
I cleaned up and improved this a little. Now it hides the fixed elements, unless their computed top is at 0px. Also makes the body to scroll automatically, as many sites set their body to fixed before the fixed popup is gone:

``` javascript:(function () { var i, elements = document.querySelectorAll('body *'); var style;

    document.body.style.overflow-y = 'auto'
    for (i = 0; i < elements.length; i++) {
        style = getComputedStyle(elements[i]);
        if (style.position === 'fixed' && style.top !== "0px") {
            elements[i].style.display = 'none';
        }
    }
})() ```
HN breaks the formatting, and does not seem to support Markdown.
This is great, thank you! More precise and thorough then what I had. I'll minify it and start using it on my iPad.
According to GDPR the defaults has to be "no consent".
How is ‘default’ defined? Does just highlighting the ‘no consent button’ after a massive set of options count?
It will likely be up to the courts to interpret around the edges, such as "can the modal have everything turned on by default?" That said, at a baseline it means that if you didn't click a "consent" button or some equivalent action, they can't assume they have your consent.
I was on a mainstream site yesterday (can't recall now which) it had a cookie dialog with no options checked, and a "accept and go to site" button, so I assumed it meant "accept the above settings". Nope, it fills in all the unchecked options, then "accepts" those settings and goes to the site. It was so incredibly devious I was almost impressed as I immediately closed the tab.
The part of GDPR that covers this in depth is Recital 32.

https://gdpr-info.eu/recitals/no-32/

There's a lot of detail, but the most important part is this: "...inactivity should not therefore constitute consent."

While I'm not sure there's an EU-wide ruling, the Greek DPA has specifically called out the "Consent" option being more visually prominent than the "Not Consent" option. They also mention the anti-pattern of bugging for consent daily but not bugging for un-consent afterwards, but that probably runs more afoul of "consent must be as easy to withdraw as to give" rather than "freely given."

The key part is that it's defined based on the intent and outcome. The company has to demonstrate that each user made an intentional, fully informed, freely given opt-in choice - that they knew what they agreed to and wanted to agree. If users did not intentionally want to opt in to you doing X with their data, then you don't have a valid legal basis for processing no matter what they clicked, since whatever system you built apparently did not truly capture what the user wanted.

If a site wants to use data in ways that need consent (by the way, most reasonable uses don't need consent because 'legitimate need' applies - it's pretty much only things like "use all your private data for targeted advertising" and "share your private data with these 1000 trusted partners" that need consent) then it's the burden of the site to ensure that the options are presented in a clear, nonconfusing way, that users get fully informed, etc, and demonstrate to the data protection agency that whatever they implemented achieves these goals.

"Just highlighting the ‘no consent button’ after a massive set of options" most likely is not effective to that goal, and a data protection agency can easily verify that (run a study with 10 new users signing up for the site and fill out a questionairre of what they wanted to consent) so it should invite administrative action from the DPAs, with mandates to change the system and/or fines depending on the circumstances. It's just that they're not really bothering with random websites (yet?) since the majority of their work is on how the all the EU non-web businesses (e.g. retailer loyalty programs, phone providers, banks, etc) handle private data.

> The company has to demonstrate that each user made an intentional, fully informed, freely given opt-in choice

How is this even possible without setting up a video meeting where a consent officer interviews you and quizzes you to make sure you understood your rights and what you were consenting to?

This seems like an exceedingly onerous thing to demonstrate

By giving them a dialog that clearly describes what they are opting in to, with a clear "I do not agree" button, that does not degrade the user's use of the website. What you should do to comply is literally in the guidance; both the old guidance and the newly published guidance.

The EU does not act like the US - if there's a piece of law, there is guidance on how to comply with that law. You follow it and you're safe, until someone publishes updated guidance.

A number of companies are betting that doing something short of what the guidance recommends will still result in a compliant website. They are in a situation where, if they attract the attention of a regulating body, they may be fined.

> By giving them a dialog that clearly describes what they are opting in to, with a clear "I do not agree" button, that does not degrade the user's use of the website.

And what if your cat walks across the keyboard and accidentally consents, but you never even realized it? Should there be a consent banner across the top at all times? Or what if you are drunk when you are surfing the web and didn't understand your rights when you accidentally consented (drunk people can't consent - the website raped your privacy)?

Then, assuming that you can evidence that you followed the guidance, and you implement the rest of the GDPR, which gives the person in question a mechanism to revoke their consent, you're pretty much definitely fine. You realise that we're not out on a witch hunt here, right?
You make it obvious and unambiguous so that if you argue your case in front of a judge they will agree with you. Same way as you demonstrate a paper consent form is valid.
Company: "User clearly consented. See? Here are the logs, here is the dialogue they were shown."

Person: "I swear I didn't consent! I didn't even see the dialogue! My cat must've walked across the keyboard and accidentally consented"

Ok, you're the judge, what's your call?

Should the dialogue force you to have to type: "I've read and consent to the terms ..." ?

The laws are not about proposing some legal gottac based on inane ruling in clearly contrived scenarios.
If it was accidental (as in the form was clear, but my cat pressed the wrong button), then the user just needs to ask the company to remove the consent.

If the company refuse, or if the user claims he was tricked into agreeing, then there is cause for further investigation.

And it's not going to be a judge from the start, but whatever organism is charged with compliance. Then, if they have a case, a judge gets involved.

I wonder what the compliance organism looks like?
If a user complains, the data protection agency will evaluate your process and evidence. As you say in another comment, "Here are the logs, here is the dialogue they were shown." - that's it, if you're compliant, that's all you need to do. But you need to be able to make a convincing case that the dialogue is reasonable, fits the criteria ("the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language") and the choices a reasonable person would make on that dialogue would reflect their intent.

But this discussion is full of examples of "consent" dialogues that clearly are made to trick users into making a different choice than what they want. In such cases showing the logs and dialogues would demonstrate that a valid consent was not obtained.

It's not a novel thing - for example, I recall that many years ago website opt-in patterns were being reviewed in the Ryanair case where the consumer rights agencies analyzed their website order process where a bunch of 'dark patterns' were used so that people accidentally "opting in" to things they did not want to. There's an administrative process that determines whether your process is honest or tries to cheat users into "agreeing" to things they don't intend to agree. In the latter case, you'll be forced to change how your stuff works.

if there's a process, why are dark patterns so prevalent? i might have seen a clear and straightforward choice once or twice; usually, it is hard to find the reject flow and hard to understand whether i am correctly triggering it.

i am sure there are many databases out there which i am marked as having consented it, although i did no such thing. the standard is to make it hard to express your desire to opt out despite the rules requiring entirely the opposite.

Mostly because enforcement has not gotten to them yet - lots of the really bad examples are from non-EU companies, and the priority of the enforcement has been mostly with local businesses, and most of that for all kinds of privacy issues with more real world impact.

E.g. at the launch of GDPR a local major supermarket chain tried to use a bunch of dark patterns for their loyalty card program (mostly offline) process so as to continue their tracking, they were forced to change last year. It's clear that issues like that have a much larger impact on privacy of people than some foreign news website, and that's prioritized accordingly.

For the major multinational social networks, the delays are (intentionally?) caused by the lack of capacity in the Ireland data protection agency, as many of these multinationals have their EU HQ in Ireland because of tax purposes, so all their cases are being handled there and that means that enforcement for them is going to take a long time. But if I look at random local websites today and compare it to what was happening a year ago, the dark patterns are not prevalent anymore. They appear occasionally, but they're really rare now locally.

(comment deleted)
Exactly. These dark patterns tell me more about the corp behind a site than any regular well-designed cookie popup could. One quick look on these, and I navigate away. Haven't visited TC for a long time.. just not worth it.
They also redirect you from TC to guce_advertising_com/collectIdentifiers... If you have uMatrix installed you need to add bypass lists for that... I won't.
Another dark pattern you see more often these days are sites having a - seemingly very good - "Reject all" choice. But when you click/tap that both "Reject all" and the default "Accept all" are now highlighted, making the result of pressing "Continue" unclear.
Another one is taking a looong time to "save your choice". In the order of a couple minutes.

I assume they hope you just click agree instead.

Eh in FF I just click reader view. It bypasses pretty much every popwall and popover.

And if it doesn't, I leave.

But does it mean you opted out? To me it sounds like you entered undefined behavior territory and probably accepted everything
I live in the USA, the country of caveat emptor and 'who cares about citizens, anyway?'.

If I was a European citizen, then I believe by default I did not allow anything. They would be in abeyance of the GDPR if they were to track or identify me.

If I can jam up even a bit of tracking with a PiHole, ublock origin, privacy badger, Bypass Paywalls Clean, Containers, and more, good on me. Im already inexorably tied to google at the moment, and working to remove myself from their ties.

(comment deleted)
GDPR is opt in not out. If they're tracking you when you do that they're breaking the law.

Also, they're probably breaking the law.

Consent needs to be explicit or there's no consent. Otherwise, we'd be back in the days of putting a message on the site telling "by using our website you accept our ToS and need to give use your firstborn child".
What if there was a service that would automatically email their legal team to withdraw your consent after you close the tab? Like every single time you just click OK and then afterwards they'll have to manually adhere to your request and delete the data again. That would make bad consent UI incredibly expensive :)
They’d shut down the email account ;-)

A better solution is websites actually accepting the “do not track” requests that browsers already send. Unfortunately the most popular web browser is run by the most popular tracking company, who also almost wholly funds the second most popular browser.

Also, websites have no incentives to implement such a feature if it's not required by law.

It costs money and gives them nothing in return

Well, GDPR and CCPA compliance cost something. That could be made simpler using this option.

Also, Ad Blockers are becoming quite prevalent again. Personally, I’ve started using one again for privacy reasons. If a publisher would actually respect my Do Not Track request, I’d happily leave their ads up. I have no problem with contextual advertising.

So that’s revenue left on the table.

It would not be easier. It has to be implemented in addition to the consent form.

I have a website. If I wanted to support DNT, I'd have to take an hour or two to figure it out. To be honest, it wasn't even on my radar.

The solution is to send a message by avoiding those sites thus creating a disincentive for them to maintain the practices. But as you can see from the number of upvotes even very technically literate people will get over this just for an interesting title.

Techcrunch routinely ends up on the front page on HN, ironically many times for articles that condemn the very practices they engage in. No website will change their practices because of strong, informed opinions when the clicks still come in, especially from a distinguished community like HN that just validates Techcrunch's choices.

I believe they still need to allow you to withdraw consent if they want to comply with GDPR.

So maybe it'll be fax instead of email. Or a weekly letter with a list of all the IPs that have revoked consent? I'm pretty sure this could be done very cost effectively if it's many users and only a small pool of bad UI offenders.

The problem here is that there’s a prisoner’s dilemma among websites that rely on ad revenue. If only a few websites decide to become fully GDPR compliant, then those websites see all of their ad revenue disappear and go out of business. If, on the other hand, every website properly implements the GDPR requirements then the tracking based ad model disappears and we’re back to the pre-tracking world of ads.

The problem is: how do you get everyone to cooperate at the same time when the incentive for cheating is that your website gets all the revenue?

This dilemma is just one of many in modern society and all are aspects of Moloch [1]. Ultimately we’d like to kill Moloch but that seems very difficult right now.

[1] https://slatestarcodex.com/2014/07/30/meditations-on-moloch/

Can't they use non-tracking ads based on the content of the page?
They can’t until advertisers agree to it. Today, that means walking away from the big networks and finding your own advertisers to sign for one-off deals. Some sites do it (slatestarcodex is one) but it’s hard work.
> The problem is: how do you get everyone to cooperate at the same time when the incentive for cheating is that your website gets all the revenue?

By cutting to the source and making targeted internet advertisements illegal, full stop, with business-wrecking, revenue-scaled fines implemented for both offending websites and offending ad companies.

don't fine businesses, just require a certain proportion of shares be handed over. if the offences is bad enough, the government gets a majority stake and can force change. if its not, the prior owners lose income and influence on an ongoing basis, since their 10% share is now 9%.
Enforcement of laws is generally the standard solution to "how do you get everyone to cooperate at the same time when the incentive for cheating is that your website gets all the revenue". Compliance should not be voluntary - if cheaters get identified and punished, the coordination dilemma goes away.
In central Europe it is illegal to film the public space in front of your billboard without special permit. Billboards that don't film the space in front of them are still pretty common.

An effective ad on a popular website could be a single jpg hosted on the same webserver as that website itself. You wouldn't need any Cookie banner for that.

But ohh, that isn't enough. No they want to be able to show your users content you didn't explicitly approve and run code on your users computers you cannot verify.

If you had a lemonade stand would you let some company film your customers faces? Probably not.

The GDPR law just makes sure you ask them before you do it

(comment deleted)
Don't forget the fake progress spinner that takes ~30 seconds to complete if you opt-out, but is instant of you just agree.
The consent is invalid if it is harder to reject consent than give it. Another thing, the consent must be opt in. What they are offering is opt out. I will post recitals, when I get home, searching on phone is annoying.

Anyway, I boycott TC since they started their war on users.

Ok, back at my keyboard <3

Prequel, website owners, android developers,... PLEASE, please, check this video. You will more or less understand everything you need to know about GDPR.

GDPR event London 2017 - with Tim Walters: https://www.youtube.com/watch?v=-stjktAu-7k

I think that someone is earning large bucks to trick different websites into believing that they can avoid GDPR by simple tricks while on the other side owners are just too lazy to read simple interpretations made by Article 29 Data Protection Working Party (no, it does not matter what your lawyer thinks if it contradicts recitals). I would call it a scam but I think that some enlightment must be pushed in place:

https://ec.europa.eu/newsroom/just/document.cfm?doc_id=48849

(page 16):

"Without prejudice to existing (national) contract law, consent can be obtained through a recorded oral statement, although due note must be taken of the information available to the data subject, prior to the indication of consent. The use of pre-ticked opt-in boxes is invalid under the GDPR. Silence or inactivity on the part of the data subject, as well as merely proceeding with a service cannot be regarded as an active indication of choice."

(page 21):

"Article 7(3) of the GDPR prescribes that the controller must ensure that consent can be withdrawn by the data subject as easy as giving consent and at any given time. The GDPR does not say that giving and withdrawing consent must always be done through the same action. However, when consent is obtained via electronic means through only one mouse-click, swipe, or keystroke, data subjects must, in practice, be able to withdraw that consent equally as easily."

is this “equally easy” criterion met by a site that says “hi! we don't know each other yet, but you can't procede until you've either pressed the 'accept' button or found the 'manage options' link, worked evert oh good you're bored now thanks for clicking”

and then never shows it again, so i don't really know where i would go to manage consent.

i don't see why companies can't just behave like decent human beings. why do they want me to not trust them?

I'd love to see a blog post enumerating all the dark pattern design in all the GDPR and CCPA cookie opt-out. It could be a case study in user-hostile design.

First you see the warning banner that has the large prominent "CONTINUE (i consent)" CTA button with a tiny "options" link somewhere below.

If you catch that "options" is code for "I don't want to consent", you're then brought to a wall of legalize that you need to scroll to the bottom to find the double-negative-ambiguous-toggle labelled "Do not sell my privacy data". So you need to enable it to disable tracking. I think. But even so, it's a toggle UI instead of a checkbox, so you're not quite sure what state means what.

There's one particular provider of these consent forms out there that a lot of sites use... I'm sure their marketing materials say "our world-class designers have identified the best and most clear user-design principles, which we have inverted to minimize your opt-out conversion rate!"

Clearly the matter isn't simply presenting the ad. The issue is being able to trace and identify the user. Sites will put walls that identify blockers which when passed through by declining will still display ads! Showing the ad isn't nearly as important as tracking who is looking at them.
Because douchebags like TC and whatever service they're using will come up with ways to annoy the fuck out of you so that people will go back to blind consent.

One additional point should've been added to GDPR: malicious techniques to acquire consent will result in triple the amount of fines.

I agree that TC make a mockery of the principle of user consent.
You should consider using uBlock Origin. It'll block all trackers regardless of what you click.
(comment deleted)
Typically, disabling JS (e.g. with NoScript) prevents most of the annoying dialogs like this. Also it helps with some paywalls. Of course, it adds a bunch of other annoyances with websites which won't work properly without JS (that is, most of them).
Page still renders content with all JS blocked. All of the other crap is gone.
TechCrunch works without javascript, which is quite nice from them though. Compare it some others, where the content is literally loaded after consent, using js.
Pardon? Is this saying that closing the page is not a choice?
The guidelines can be found here: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_gui...

They are pretty great, beyond the examples brought up here. For instance, on the criterion free/freely given, they write the following:

> The element “free” implies real choice and control for data subjects. As a general rule, the GDPR prescribes that if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid.13If consent is bundled up as anon-negotiable part of terms and conditions it is presumed not to have been freely given. Accordingly,consent will not be considered to be free if the data subject is unable to refuse or withdraw his or her consent without detriment.14The notion of imbalance between the controller and the data subject is also taken into consideration by the GDPR.

Regarding the last element they cite the examples of public authorities or employment (e.g. monitoring systems) as situations where there is an imbalance of power that may limit the ability to give consent freely (there are other bases for processing data).

Also, I want to quickly remind HN that the GDPR applies to any data processing and goes far beyond consenting to cookies but also to, e.g., any other tracking, "selling" the email address to an advertising firm, taking a video of you, etc.

Giving you the right to get a copy of data held by Facebook & co!
The GDPR has made it a bit easier to see the non-surveillance dark patterns that software developers are addicted to.

Consumer software that respects your wishes has become such a dying breed that I had forgotten just how deep we've fallen down the rabbit hole on everything until surveillance was pulled back out.

It respects the customer wish to not pay a penny for anything.
I don't know about you but I consider this cookie consent thing to be an example of regulatory overreach and a giant pain in the butt
yes, annoying as hell, I'd like to know stats on this, who cares about cookies?

I sure as hell don't, my mom and aunts don't, they have a harder time using the web because of this.

It makes everyone a privacy nut job, when most of us don't care.

I don't know anyone who care about cookies, but I know a lot that care about their private information not being sold and ending up causing trouble. People who are in the "elderly" demographic especially do not like when their data end up being sold to call centers focusing on calling old people (in very scummy ways), and in one case they basically had to give up answering the phone because each day they received several calls that tried to sell one type of crap after an other. A few years ago there was an article here on HN from a person who worked such call center, and they straight up describe how they bought information such as that in order to target vulnerable people.

An other person I know had issues of identify thefts and are now quite concerned about their data being thrown around. Once a person has gotten burned they tend to become a bit more concerned about the potential issues of private data just floating around everywhere.

But neither person care about cookies. They don't work with computers or care about web technology. The cookie existence or non-existence is completely irrelevant.

I can see that but it sounds like a long shot, I do get a lot of spam and the "good ones" don't come from cookies, in my case none came from cookies.

Most come from places where you give them your info, like phone number and address.

If you are going to do such a broad requirement, I'd like to see info on this, how many scams are run on cookies? Is the price of adding these cookie walls worth it?

To me this seems to be run on top of privacy nut jobs who don't get the real privacy threats we are facing.

I am much more concerned on broad usage of facial recognition than I am of cookies of recipes my mom reads online.

Now you can't exchange a service for data anymore, this is outlawed now, I don't know if thats good.

If its such a long shot I would be very happy with simpler laws that just address those issue. Let say:

If data a company collects about a person end up being used by scummy call centers or data identity theft, then any victim should have the right to compensation equal to 10x of any monetary losses, and for every 100 victims the legal person responsible at the company that authorized the data collection should get 1 year in prison. No consent needed, no exceptions allowed. Just simple damages and jail time.

Sadly laws are not written like that and companies would not want to exist with such sword hanging above them, so we end up with laws like gdpr that tries to have enough threats to push companies in the right direction, with mixed results.

Yeah, that could have been better.

But the irony is what makes me angry, the government will create such nice laws to protect us from the tyranny of corporations, when governments are collecting all types of data, specially facial recognition, which IMO are way worse than cookies.

(comment deleted)
(comment deleted)
Great idea - very poor implementation. Most of us here could have seen this coming and designed a better solution.
Such as? I don't mean to sound facetious, but if we take the intent behind GDPR and the current state of user tracking across the web what changes, at a regulatory level, would you suggest that still fulfills the aims of GDPR that doesn't result in our current situation?
The legislation was long overdue. It's a bit more complex than it ought to be but the intentions are just fine. The issue is that there's a huge number of organisations that prefer not to comply or have every intention to make things intrusive and annoying so that people click "accept" to make it go away.

Google inserts many of those banners due to google analytics or ads being used. Their main intention is to gather more user data and make users provide data. This is NOT a 1:1 match with what site owners will want - which is to have users and some basic analytics.

The cookie banners are hostile and intrusive because they are designed to be so. The hope is that users are trained to click 'yes' to get rid of the annoyance.

The GDPR explicitly states that technical cookies are fine, so most sites wouldn't need any banner except for using google analytics & ads. So use a different analytics and you don't need a banner.

It's not the law, it's the implementation and the oligopoly of and companies pushing this implementation.

A lot of websites seem to place cookies before you can consent to them doing so.

I just loaded up the home page of The New York Times (a random example), and it had placed 23 cookies on my laptop before the "Your tracker settings" window finished loading. Now I still haven't clicked "ACCEPT", and we're up to 43.

23 tracking cookies? Cookies have other uses.
My understanding has always been that no consent = no cookies of any kind. Am I wrong?
most of the web wouldn't function at all without cookies.

my understanding is no consent = no tracking cookies. session cookies are okay.

IANAL, though, so I could be incorrect.

Read-only sites ought work without cookies. Perhaps part of the issue is that disabling cookies via APIs makes the {session,local}Storage objects throw exceptions instead of only storing the issues for the duration of the current browsing context, which breaks a lot of javascript that doesn't handle these exceptions and a lot of badly written sites depend on javascript to even render something.
Why not? Assuming NYT has free pages and I want to access one of them, what do they need a cookie for?
> most of the web wouldn't function at all without cookies.

To be fair, though, that's pretty clearly a bug; at a minimum, any site that's just serving content should be fine with no cookies. Of course, any site that's just content should also be at least 95% functional with no JS and barely any CSS, and we all know how that worked out...

> To be fair, though, that's pretty clearly a bug

No doubt. I was just making a statement about the current state of the web. Not applauding it in the least. :)

Nope, the law allows cookie that are necessary for a functionnality that allows the communication or is asked by the user.

For exemple, as I said in another post, is explicitely allowed:

* Cookies for login/session

* Cookies for shopping carts

* Cookies for interface personnalisation (language, etc.)

* Cookies for load balancing

* Cookies to retain user choice regarding cookies

And quite a few other. So really you can run your website without consent notice if you care enough. One grey area is analytics, it varies amongst european DPAs. That I know of:

* In France it is allowed if you respect a few rules (no cross-processing, no localisation, etc..)

* In the UK, it is not per say allowed, but the ICO said they would not prosecute on those grounds.

I would imagine that _placing_ the cookies isn't against the law; it's doing something with them when the visitor returns or navigates to another page. But IANAL and IDART (I don't actually read things).
Technically necessary cookies are fine. If those go beyond that it would be against the law... If you're in the EU.
Have cookie consent pop ups made the web better?

If you're concerned (or aware) about your privacy, you likely have an addon that blocks trackers enabled.

> Have cookie consent pop ups made the web better?

Unequivocally no.

How many sites have seriously thought about reducing Google analytics and intrusive ads? If it's even 1% then the banners unequivocally HAVE made the web better.
> Have cookie consent pop ups made the web better?

Those that are compliant have. 99% of them are still noncompliant so I think it's too soon for a ruling yet. If this law is actually enforced then websites will only have choices of 1) compliant banners/popups in which few will consent 2) finding alternative business models 3) going out of business.

Right now, most sites do 4) just be noncompliant for now because 1..3 means we go out of business anyway.

This is still a work in progress.

it amazes me how many hackernews readers/commenters seem to have no idea what gdpr is or what it means for them.

if a site has a "gdpr popup" then that means they are doing something that the know is morally and legally questionable - not that the law is wrong ffs.

That's because for many of us outside of the EU, it doesn't mean much besides yet more email from content providers regarding changes to their privacy policies that I just delete.

I wish you guys the best of luck with it, though. I would like for my country's notion of "who owns my data?" resolve more to "me". I'm torn about how much it'll cost me to own my own data, though, in a reduction of frictionless free stuff on the internet.

have you had any reduction in emails you dont want? i get a lot less since gdpr.

plus i can now get my data from lots of sites as they cant be bothered to restrict non-eu people to not have the functionality.

plus quite a few more sites / services have options to delete my account and data that only came about because of gdpr

plus it seems like other places are considering similar laws too so then the "benifits" will be felt by even more people.

oh and now you get an indicator of how crumby a company is by how hard it is to opt out of things.

dunno it just seems like a lot of wins. with the main downside being that my person data abuse is regularly brought to my attention via popups etc. but that doesn't seem sustainable - i am hoping its a transitional thing and company actually just start complying.. but i guess that will take the EU laying down some serious fines to make examples - which to be fair this article seems to be a step towards. seems like many other control systems (e.g. dangerous goods shipping or hazardous chemical controls) that the governing bodies are careful in applying the law to make sure they don't just fine companies into oblivion if they are making steps in the right direction and fix anything specifically called out.

I am wondering when Google will get around to providing better "out of the box" support for GPDR. I should be able to get UI to let users opt out, and see/delete data, as easy as installing GA in the first place.

Most of my projects are non-commercial, but they still usually have GA, GA tends to be the only thing I have that requires GPDR attention, that I'm aware of anyway.

I believe that simply disabling IP address collection is enough to be GDPR compliant with Google Analytics: https://developers.google.com/analytics/devguides/collection...
The challenge with GA today is that the default code that Google gives you includes Tag Manager, and they encourage you to include DoubleClick as well (can't remember if that is in the default).

If you go out of your way, you can implement GA, by itself, the "old way"--which is GDPR compliant out of the box. It's Tag Manager and DoubleClick that are not.

I always find GA docs/instructions confusing, but when I try to see what current GA instructions tell you about how to include GA in a page, I get this:

    <!-- Global site tag (gtag.js) - Google Analytics -->
    <script async src="https://www.googletagmanager.com/gtag/js?id=[ID]"></script>
    <script>
      window.dataLayer = window.dataLayer || [];
      function gtag(){dataLayer.push(arguments);}
      gtag('js', new Date());

      gtag('config', '[ID]');
    </script>
Is that the "old way" or the "new way"? Maybe it's an even newer way, which is essentially similar to the old way?
No it's not.

I can't talk for other countries, but for France, the local DPA explicitely said so[0]!

Loose translation: "The analytics tool do not fit within the consent exemption when their provider reuse data for their own profit. That includes most big analytics service available (see for exemple Google Analytics confidentiality policy)"

[0]https://github.com/LINCnil/Guide-RGPD-du-developpeur/blob/ma...

Why add GA then? It's user hostile and there are better and more compliant ways to track basic analytics.
Given my browser sends out a "Do Not Track" header with every request, explicitly opting out of tracking, I'm not sure why I should ever even have to click a button to opt out. DNT is supported by Firefox, IE, Chrome, and Opera, and was supported by Safari until February 2019. The reason Apple dropped support was insufficient support and adoption by sites.

The advertising industry is actively user-hostile.

Apple actually dropped support for this, because advertisers were using this setting to fingerprint users.
Geez.

What's the HN advertiser spin on this? It's to help users find products they want and need, despite the fact that they explicitly say they don't want your help?