117 comments

[ 3.4 ms ] story [ 200 ms ] thread
I find it hard to care about violations of the worst law that ever happened to the internet.
Care to elaborate on that? I rather like it. As a developer it's a pain, but as a citizen I find it to be a step in the right direction.
I'd also be interested in an elaboration. It isn't much about the violation of the law itself but the violation of privacy; why do I have linkedin.com, spiceworks.com, techtarget.com, godknowswhat.com suspiciously dumping cookies in my browser?
Keeping cookies is voluntary - the HTTP header can only ask if you wish to keep it.

Most popular user agents just keep all cookies by default, but it’s by no means given.

I think there's some merit to "this site uses cookies to track you as you visit different sites". There's none whatsoever to "this site uses cookies to remember your login information".

The law seems to make no distinction. As a user, I view every cookie notice as pointless and annoying -- obviously you use cookies, and obviously I'm okay with it. If the notice were specifically about cross-site tracking, that would be a meaningful notice, and opting out would make sense. Session cookies, though? You're warning me about session cookies?

If I could set a blanket "I accept cookies" in my browser settings and have those notices all go away,. I would in a heartbeat.

And, in fact, I DO have a blanket "I accept cookies" setting in my browser. Sadly, I'm still forced to manually opt-in on each stupid website.

Ideally, we would distinguish between different "types" of cookies (and I believe the law requires you do this), and we would have settings specifically for these in browsers (which we sort of do in a limited fashion), and we would simply make it a setting defaulted to "ask". show notice only if the user has manually changed the setting from "ask" to "accept" for the types of cookies used on a site. Boom, useful and non-annoying cookie notices.

Until we do that, it's a bad system, and a useless law.

> The law seems to make no distinction.

What do you mean by this? The law does make a distinction between essential and nonessential cookies (cookies that are necessary for the function of the website/app, i.e. session cookies, and not necessary, i.e. analytics IDs) and requires you to get consent for nonessential cookies, while allowing essential cookies. If a website doesn't set any nonessential cookies then it doesn't need to ask for consent.

Good point. I'm certainly not an expert on the law -- I did some quick googling, but not a lot.

Session cookies, e.g. are fine. As best I can tell, "remember me" / "remember my email" checkboxes still do require a banner, though I'm not sure. Preference cookies in general seem to. That strikes me as silly.

Facebook's tracking me on thousands of unrelated websites; Wikipedia is remembering that I X'd out the donation banner last week and don't want to be shown it again[0]. These are entirely different use-cases with entirely different privacy implications. As far as I can tell, both require a banner, and while the banner allegedly has (or links to) details about which is occurring, I've never, ever paid enough attention to those banners to see those details.

Part of this mess may be due to the fact that our client software is dominated by the largest advertiser, but I'd prefer regulations that address that by demanding privacy-respecting settings and setting defaults, not by showing me banners that I've never found useful.

I use uBlock Origin and Firefox' tracking protection. I don't use the consent banners. I think most people automatically click "yes" on those, yet given the option to block tracking cookies en masse, would enable that option.

[0] Okay, seems as if Wikipedia ISN'T storing that info, but I wish they did.

The case you describe for Wikipedia would be a functional cookie, not subject to a banner, while Facebook would use a tracking cookie, subject to a banner.

I think that the fact that a lot of websites nag you with endless lists of cookie consent checkboxes, even for functional cookies, is not entirely innocent, and contributes to the idea that cookie notices are terribly annoying and pointless.

Thanks for clarifying. You may be right -- again, I'm far from an expert. The distinction I've seen is essential vs. nonessential. Remembering that I dismissed that banner seems more like non-essential to me. Seems more along the lines of saving my preferred font size. That said, the sources I'm finding about this are maaaybe not the most reliable.

Is there a difference between remembering this "for the current session" vs. "for several weeks"? (The idea of a session is awfully vague given how HTTP works, but seems like one we use anyway.)

> I think that the fact that a lot of websites nag you with endless lists of cookie consent checkboxes, even for functional cookies, is not entirely innocent, and contributes to the idea that cookie notices are terribly annoying and pointless.

One thing I can add is that when I searched for info about the law, I got a bunch of results from cookieyes.com, which told me 1. that I need a cookie banner for any cookies at all and 2. we'll provide you with a cookie banner if you pay us.

So there's definitely some incentives to push unnecessary cookie banners going on. :-)

Those notices also often say "This site uses cookies to make your experience better", so yes, in this sense it's useless. But that's not all the law is doing. Many websites from US simply stopped serving anything for European IP addresses, responding just with error 451, which I always take as a sign that this site wants to sell my data more than they want to show me ads, so I'm glad I didn't accidentally visit it.
it’s actually a sign of a fragmented internet, and brings into question the very idea of an open and free internet. but alas, if this is what politicians want, this is what we’re getting.
It's not a free Internet if there's a hidden price the visitor has to pay, which is being tracked and monitored wherever they go.
0. the price is close to zero. that’s why most people don’t care about it.

1. it’s not hidden. open dev tools, see what the page does.

2. someone has got to pay. either a subscription or with your data, the salaries need paying once per month.

0. But I do, and I make my choice when presented with one.

1. That's still hidden. "read the code" has never been an acceptable answer to how to inform users, and wouldn't even get close to being allowed under the current GDPR or ePrivacy directives.

2. If you want me to pay then you have to tell me how much I have to pay. It's why there are laws on the clear display of prices in restaurants, and that bars in the UK have to have the prices of drinks listed.

If you want me to pay the price to enter your wensite then tell me what that is and let me make he choice.

Over the last 20 years or so companies have been playing fast and loose with people's data, they could have not done that, but the continued, and now this is what they have to deal with. Forgive me if I don't feel sorry for them in the slightest bit

In my opinion, it’s solving the problem at the wrong level. If you, as a government, want to coerce someone into solving this problem, it should be forcing browser vendors to provide more visibility into and control over (especially third-party) cookies.

Instead, we have a banner you have to interact with as the price to visit pretty much any website.

I don’t know, I think the banner is a pain but it is absolutely the responsibility of web developers to allow user choice in tracking. Cookies don’t have to be third-party to be harmful.

If the roads are bad, we need to fix the roads, not just tell everyone to drive better cars.

I mean sure, but technically you already have that choice. It's entirely up to you whether to keep, discard or modify cookies. Your user agent is doing a bad job of managing this for you.
GDPR isn't a cookie law, it's a data privacy law. Cookies aren't the problem, it's what people are doing with the data that's the issue.

You can track people with all sorts of other means other than cookies, you would also need to get people's permission to do this.

We were specifically discussing the cookie banners though.
Yes, but in the context of GDPR, which doesn't really go into detail about cookies, "…throughout its’ 88 pages, it only mentions cookies directly once" - https://gdpr.eu/cookies/.

The issue is handling of PII, tracking users and the hoops companies are jumping through to try to trick users into agreeing to allow this. In reality forcing users to select through the myriad of cookies that many sites set isn't practical, and doesn't get round the fact that you still would have to "Receive users’ consent before you use any cookies except strictly necessary cookies."

A better technical solution would be to enforce that web applications respect a client header that specifies the level of cookies the client will allow (see https://gdpr.eu/cookies/).

An even better solution to this would be to stop the invasive tracking and profiling of users that has brought us to this point at all.

A HTTP response may ask the user agent to keep a cookie.

The user agent is free to do so, reject it, or ask the user (as Konqueror did).

It is not the responsibility of everyone responding to HTTP requests to ask to ask “I ask you if I can ask you to keep this cookie”.

Remembering that HTTP is a format of messages being sent between people, it’s clear to me that this law is unwise. Likely written by Eurocrats who don’t understand HTTP.

In principle, yes, but if a browser asks a non-technical user whether they want to accept a cookie called "__Secure-3PAPISID" (an actual Google tracking cookie) with gibberish contents, what are they supposed to say? How can they understand what that means?
It’s true that those who don’t understand what a HTTP cookie is, are unable to make informed decisions about them.

Forcing those who reply to HTTP messages to ask if they can send a header asking if they can save a cookie does not change that - the user who clicks the cookie popup may still now understand what they do.

Many do understand things like private mode though, which is nice.

In this analogy though, browsers really feel more analogous to roads and sites to cars to me, rather than the other way around, being the common infrastructure on which the other operates.
Why is it the responsibility of a host to provide labour for free? If you don't accept the price of admission, then just don't go in.

Say I have a dress code at my club. You don't have the right to a "meaningful choice" of wearing flip flops and shorts and still enter my property.

I don't have the right to a meaningful choice of bypassing paywall either.

Back in the 90s we had cookie confirmation things. A browser called konqueror even had it on by default. Every time a server tried to set a cookie you got a chance to say no, etc…

For users it was as awful then as the experience is now.

The people who made this law seemed to be under the impression that sites would react by removing cookies. This is naive or plain stupid. Instead what we have now is that every single site has a popup saying "Lorem ipsum" (nobody reads this), and you have to click "fuck off" to get to the content.

I would LIKE to say that all this law does is annoy people. I would like that, but no. Instead what it does is train literally billions of people to click "fuck off" (actual text is usually something like "I agree", but what the user means is "fuck off, I'm trying to read the article"), without reading what the box says.

ACTUAL security problems now, or ACTUAL choices, now cannot be warned about. Because if users were not good at reading actual meaningful warnings before, they sure as hell don't read them now.

So not only is this law (1) not helping, people still have cookies. It's also (2) annoying absolutely everyone every day, with up to four "fuck off" buttons users need to click per page load, and (3) actively hurting via huge externalities, as described above.

Oh, and for extra bonus on a weekly basis I run into websites that chose to simply block users from EU IPs, presumably after a ROI calculation. Thanks, EU.

Are you in Europe?

> Back in the 90s we had cookie confirmation things. A browser called konqueror even had it on by default. Every time a server tried to set a cookie you got a chance to say no, etc… > > For users it was as awful then as the experience is now.

Yes, I remember. Back in the 90s you could always choose another browser that didn't do that, and we didn't yet have the rampant data collection and exploitation that we have seen since. Back in the 90s it was a novel thing when $known_company got a website at all. In the intervening years a huge amount of our life and identity has moved online.

> The people who made this law seemed to be under the impression that sites would react by removing cookies. This is naive or plain stupid. Instead what we have now is that every single site has a popup saying "Lorem ipsum" (nobody reads this), and you have to click "fuck off" to get to the content.

Where there is no way of opting out of the data collection I leave, and I have taught my family to do the same.

It is possible to run a website that doesn't use cookie popups. Amazon UK sets 3 essential cookies (i18n prefs and two session cookies) on first page load. https://basecamp.com/ doesn't set any.

> ACTUAL security problems now, or ACTUAL choices, now cannot be warned about. Because if users were not good at reading actual meaningful warnings before, they sure as hell don't read them now.

Sorry, which websites were warning users of potential security issues before? What choices were users being asked to make? I am not sure we were browsing the same web.

> So not only is this law (1) not helping, people still have cookies. It's also (2) annoying absolutely everyone every day, with up to four "fuck off" buttons users need to click per page load, and (3) actively hurting via huge externalities, as described above.

Remember that this law isn't about cookies. It's not a cookie law, it's a law about data privacy and control. Cookies are just one part of it. The law also deals with the safe and appropriate handling of user data, and when a website does pop up a huge hard to use banner that uses dark patterns to get you to click it then it's not the EU being annoying and forcing users through this annoying process, it's forcing websites to effectively tell users that they want to do extra things with their data. It's like forcing bank robbers to dress up in stripey shirts and use bags labelled "SWAG".

Any website that is doing that is basically being forced to wave a big red flag "I AM DOING DODGY THINGS WITH YOUR DATA" when you visit. You can at that point blindly click the "Accept" button if you want, I choose to leave.

The web industry, and avertisers in particular, have had over 20 years to pull their shit together to avoid this, but they didn't, so now we have this.

> Oh, and for extra bonus on a weekly basis I run into websites that chose to simply block users from EU IPs, presumably after a ROI calculation. Thanks, EU.

I've hit very few of those, and to be honest it's not been a particularly big deal. It's also their choice. Don't want to stick to the EU speed limit? Don't drive on the EU roads.

> Are you in Europe?

For now.

> Sorry, which websites were warning users of potential security issues before?

Not just websites, but applications too. If you had to click "fuck off" to 100 cookie popups today, then when your email client pops up "exe files are dangerous", or your browser says "this website is not secure" you won't even read that, but just press "fuck off, make it happen".

> Any website that is doing that is basically being forced to wave a big red flag "I AM DOING DODGY THINGS WITH YOUR DATA" when you visit.

But since that's every website, it's meaningless. Especially since nobody looks at that red flag because of popup fatigue.

I think you're speculating here. Anyway, I don't think the solution to these problems are to just get out of the way and let companies play fast and loose with our data, it's to continually push them to do better.
Am i speculating that all sites of nontrivial size has a cookie popup (or legally should have)? Or that popup fatigue is a thing? Could you be more specific?

I'm not saying there's no problem. I'm saying this doesn't even close to address the problem, and it makes everything much worse.

1. Block 3rd party cookies (useless on 99.99% of the sites)

2. Install uBlock Origin (https://www.ublockorigin.com)

Don't forget step 0:

0. Don't illegally put nonessential cookies in the browser without the user's consent.

I think it's impossible to enforce this worldwide, and any website can be based in any jurisdiction. The consent popups are also super annoying. It's also hard to define what "essential" means.

I'm personally much more in favor of the technological solution: I block all cookies and only explicitly enable them on websites that I need to log in to.

I would disagree with the idea that it's hard to define what's essential: whatever is essential for the function of a website/app. This means things like session login cookies but not analytics cookies.
That is still not clear. Not everyone need to sign in so it could not be essential. It should ask when you want to login if you want to store a cookie or not.
Yeah, that's why it depends on the function of the website or app. If you need to sign in to access an app, and the session token is saved using a cookie, then it can be considered an essential cookie. But on a marketing website that doesn't have a login component then yes, you're right, logging in isn't required and so it's arguably a nonessential cookie.
I think it goes deeper than this.

An app like Yelp could claim that one of their essential features is to show you restaurants physically close to you, so location information is essential. They could claim that being able to recommend food based on your past searches is part of their core functionality, and that requires saving searches in cookies, or saving them on the server side with a fingerprint on your side.

You could argue that Yelp is only a yellow pages of restaurants and therefore no cookies are essential. Someone else could argue that they are much more than a yellow pages, that if they were only a yellow pages they would not be profitable and cease to exist, and that their core reason of existence is their recommendation engine. To that person, essential functionality would require more things to be stored.

Then there is a regulatory aspect. Some governments may require their companies to install trackers of sorts. Some governments just don't give a damn and let their companies do as they please. GDPR is not a universal law. It's an EU law. Nobody else has to follow it, and there is no way you'll convince every country in especially Asia, Africa, and South America to follow GDPR. A technological solution on the other hand can deal with the entire problem with a single software update, much more effectively than any legal route.

The law isn't as fuzzy as you think.

> An app like Yelp could claim that one of their essential features is to show you restaurants physically close to you, so location information is essential.

They could claim that but it would not be relevant in law. The GDPR provides an exception for "strictly necessary" cookies only, as follows:

"This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."

If I didn't explicitly request for Yelp to show me restaurants physically close to me, or to recommend food based on my past searches, then neither of these things are "strictly necessary" as defined by the GDPR and they can't store personal information about me regardless of what they claim.

Note that 'share my location' (or not) is already being perfectly fine handled by the browser.
On a side note I was once able to get a very precise location even with permissions turned off, simply by virtue of 2 devices being on the same Wi-Fi network, the other device having given permissions.

For one they both appear to the outside as the same IPv4 address, and Wi-Fi doesn't travel that far so you can usually presume they are at the same location. There are other ways like having one device hog bandwidth in a slowly modulated fashion, and have the other device pick up on that modulation in streamed data.

This isn't related to the parent comments and I highly doubt any major apps actually implement this but just pointing out that such a side channel attack is possible.

except that -1: there's nothing illegal about not asking for consent when cookies are not related to, in the cookie itself, personally identifiable information.

You don't need permission to set cookies, every server with session management relies on them. You do need permission to set cookie that may leak PII.

This person should try again, but this time actually look at the content of the cookies to see whether their complaint even makes sense.

No, it’s not a PII related issue. You need consent to set nonessential cookies, regardless if they contain PII. An example is Segment, which sets cookies but may not be tied to a particular user. Segment, at least using just for analytics, isn’t necessary for the function of a website or app, so even if the cookies don’t have any PII you still need to get consent.

You’re right that you don’t need permission to set server session cookies, but that is because that cookie is essential for the function of an authenticated app.

No, you don't: GDPR makes zero stipulations about that, and only requires consent if you're dealing with cookies that either contain PII, or themselves act as PII for cross-site tracking purposes.

Sites are entirely free to set as many cookies as they like for any and all "non-essential" site purposes because anything in place to make a website work can be trivially argued in any court to be essential to running that particular business in the most cost effective manner: page metrics, heat maps, front door proxying, A/B testing, optimization etc. are all part of running a business on the web. Whether you as user consider that essential, or what your opinion is on what qualifies as "cost effective" is entirely irrelevant. Will the site work without an analytics cookie, and an optimizely cookie, and a cloudfront cookie, etc. ? Sure. But if a business decides they need a service that needs cookies set to work properly, as long as no PII is involved, that is not GDPR's concern in the slightest.

GDPR may not apply, but regulations like PECR do - and they will frequently require consent as defined by the GDPR.
Yeah. I can see every website following step 0 because yladiz said so. Good way enforcing that with random websites.

Take your privacy into your own hands, why leave it to others to implement. Many won't

Let’s remember that the http response asks the user agent to keep the cookie - it is voluntary to do so.

Browsers may not have white lists but rather always set cookies, but it is not a given.

For this reason, I wish my government would have rejected the ridiculous cookie law, and GDPR as well.

I've always doubted that all these popups are actually delay the setting of cookies. With so many options, it would be quite an undertaking to actually only embed what people checked.
If they're for technical purposes, not tracking purposes you don't need permission under GDPR at least. I'm going to assume they know what they're doing, at least until I see evidence to the contrary. Benefit of the doubt, innocent until proven guilty, and all that.
I still struggle to see how cookies set for spiceworks.com or linkedin.com are for "technical" purposes of just serving a landing page.
“We need these super high tech cookiemotrons to provide you with the best user experience possible. We consider it a technical necessity to meet your need to have your data harvested. You should be thanking us. We would explain further, but you’re too stupid. What are you gonna do? Have us testify before technologically illiterate politicians and fine us 1% of what we pay our CEO?.”
> Have us testify before technologically illiterate politicians and fine us 1% of what we pay our CEO?

Slack operates in the EU and has paying customers in the EU. It also likes to take advantage of anti-competition regulations when convenient: https://slack.com/intl/en-in/blog/news/slack-files-eu-compet...

CEO pay seemed to be $356,952 at time of Slack's IPO.

Maximum fine under GDPR is the greater of 4% annual turnover and $23M. Slack's turnover is too small, which means the maximum fine is $23M, nearly 700% of CEO's basic compensation.

Regulations here have teeth; it's not the United States - and it's a good thing for society that they do.

> Regulations here have teeth; it's not the United States - and it's a good thing for society that they do.

sadly, the regulators are yet to show that the GDPR has any teeth. Most recently, the ICO gave British Airways and Marriott significant reductions on fines they raised last year.

£20M and £18.4M are still reasonably sizeable amounts - and given the pandemic has likely impacted BA & Marriott's profits substantially already, I think some sort of adjustment was likely the fair thing to do.

H&M have been fined £32M. This wasn't hugely far off the 4% annual turnover cap.

Compared to the previous Data Protection Act limits, these fines are definitely significant.

> Regulations here have teeth

Citing the maximum possible fine here does essentially nothing to convince me of that fact.

What're you implying? That non-trivial amounts are never actually fined?

TIM were fined 2780% of the CEO's base salary recently.

Is this trend of using specific legal concepts and somehow applying them to public discourse writ large ever going to end?

To me, I fail to see how "ads.linkedin" is possibly for "technical purposes." Pretty basic common sense and I don't need to apply some 'innocent before proven guilty in a court of law' standard to my own opinion.

One minute wasted watching this and it doesn't even show the contents of those cookies. Without looking at the contents, it's impossible to tell if they are "necessary for site functionality", for which you do not need consent (as you can see in the video, there is no checkbox for that sort of cookies, they are always active).
Without looking at the contents, would you argue non-Slack cookies (linkedin.com, techtarget.net, etc.) are essential for site functionality?
Slack has no control over those cookies - but it is of course questionable at best that those third-party services are allowed to embed their crap by default. That's not a cookie consent issue though, strictly speaking.
This isn't accurate. Slack has 100% control over the content that goes on their site, and that includes 3rd-party tracking pixels and other mechanisms that lead to these cookies from 3rd parties.
> Slack has no control over those cookies

Sorry, I fail to see how Slack has "no control" over the usage of ads.linkedin cookies?

Google bot protection\re-captcha has cookies in google.com and ARE essential. but in the video you have some other stuff. So, at least for google you can't be sure.
Unless there's actually a captcha on that page, they aren't essential. Furthermore, you could argue that recaptcha itself is in breach of the GDPR as it collects a lot more data than necessary (captchas have been done just fine for decades without collecting any personal information).
That isn't how reCaptcha works though. v3 doesn't even show challenges anymore. It wouldn't work at all without analyzing user metrics.
Well then maybe it's not compliant with data protection legislation if they need to analyse user behaviour without consent.
From my perspective as a user making me click those traffic lights isn't essential functionality.
But for the business, bot protection is essential. And GDPR talks about business perspective.
GDPR talks about balancing business interests against individual rights.
When placing cookies, the bar to essential is actually really high.

It has to be essential and unavoidable for the delivery of the bytes to the browser, or it has to be essential for the requested functionality.

The UK ICO has some pretty good guidance. I'd not be confident at all arguing that recaptcha is at all essential under PECR, even though it may be a legitimate interest under GDPR. Important to note that PECR/ePrivacy directive actual goes further than GDPR when it comes to the cookie rule, and you can't use legitimate interest as a basis here!

https://ico.org.uk/for-organisations/guide-to-pecr/cookies-a...

Not sure if I agree. Taken from your ICO link:

"This means you are unlikely to need consent for: - load-balancing cookies that ensure the content of your page loads quickly and effectively by distributing the workload across several computers."

You can put a lot of things in this exemption list. I risk to say, even Google Analytics.

Surely, for a business, things like advertisement, tracking, etc. may also be essential.
(comment deleted)
No cookies are 'necessary' for site functionality, unless there is a login needed.

No cookies are 'necessary' to just display information, pics and videos.

From GDPR.eu:

> Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.

Seems like you can in fact set first-party session tokens without consent. Does not seem like you need a specific reason to do so.

Only if it's needed for giving the user functionality they explicitly request (i.e. after adding something to their basket, they implicitly accept a session cookie that's solely used to hold their basket content). That wouldn't extend to using that cookie for analytics or retargeting though.

https://ico.org.uk/for-organisations/guide-to-pecr/cookies-a...

So I'd argue it does need to be a specific reason, at least if you follow the ICO guidance (which is probably the best I've found for explaining what's required by the ePrivacy directive)

Strictly necessary can also include security measures, of which session IDs tend to be a part of.
bullshit. any site with a form needs a cookie, unless the site is stupid. any site that tries to use post requests might need some.

heck even the confirmation or storing which cookies should be saved needs a fucking cookie.

no you don't unless authentication is needed. How is post request and cookie even related? It is simple web dev 101.
You need to store some kind of state if you want to protect the form from CSRF attacks. You usually want to protect the form.
You don't need a cookie for that though... Even a window variable would suffice
(comment deleted)
I have a form on my site. My site has no cookies.

I have no issues.

If you don't even have a CSRF you actually probably have an issue that you are not aware of.
It's an email signup form so it's fine.
Don't know about the actual cookies, but I'm pretty sure the "click a simple button to accept all but go through a long and slow process to reject"-pattern is not compliant with GDPR.
Compliant is anything which government do not fine companies for under GDPR. Non-compliant is anything they do. Any other definition isn't relevant in practice. So far I haven't heard of governments fining over this and so it is effectively compliant. So if you have an issue with this behavior complain to your government representatives.
Criminals that did something illegal but weren't caught are compliant with the law then?
That's not what I said. I said, a law which is not enforced is not in practice a law. It's just worthless words on a piece of paper.

There's a difference between a law which is not enforced and a law which a particular entity (but not others) manage to evade.

I merely pointed out that the entity to blame isn't the corporations who follow the law as it is applied but the government who enforces it that way.

It's not. An update was published to the regulation stating this clearly for those who don't understand what consent means.

The option to accept or reject must be equally prominent, and if there's complications to rejecting, then the consent cannot be considered freely given.

Disclaimer: I'm not a lawyer.

Could easily be explained by the difference between a "tracking cookie" and another type of cookie.
The Cookie AutoDelete extension lets you sidestep these problems completely. You don't need to rely on trust to control your cookies, but a whitelist fully managed by you.
Who cares? Those damn consent banners are ruining the web.
Completely agree. So annoying especially when it take half of mobile device screen

I think with tracking protection in modern browsers it should be absolutely fine to allow websites to store data in any possible way (cookies, local storage, websql etc)

I think many on this site often neglect the reality that soft barriers (having to figure out how to configure your cookie settings) become hard barriers for huge majorities of people.
As long as it's opt-out by default (like GDPR mandates it), it should be fine ?
I'm still hoping we can some day come up with some HTTP header that signals *I know what I'm doing, if you send me cookies I'll keep or discard them as I see fit".
We did, it was called Do-Not-Track. If websites were respecting it we wouldn't have the current situation.

The problem? Websites were not only ignoring it but using it as yet another tracking vector.

Couldn't all these 'pick cookies' dashboards be integrated in the browser without running in the same issue ?
The problem is that the GDPR consent prompts ask for tracking/data processing consent regardless of any technical methods like cookies, local storage or browser fingerprinting.

A browser implementing a cookie consent UI would not fully solve the problem because websites might still want to track you through other means (browser fingerprinting, server-side analytics, etc) and if they want to respect the regulation then they still need to ask for consent.

Well, this would still offload most of it to the browser, and I guess that plenty of websites (especially smaller ones, for which GDPR compliance is likely to be a heavy drag) do not use these other means ?
Shocked-pikachu.jpg

Why don't we have any browsers that aggressively deny and block tracking?

Oh right, the ad companies.

Isn't that Brave? Granted, they have their wierd crypto crap, but the big selling point is adblocking by default.
Do-Not-Track is the opposite. Do-Not-Track is a request not to send cookies.

This would be like Go-Ahead-And-Try-Track-Me-I-Dare-You.

if gdpr would have used a framework like do-not-track it would have not happend. but as always in the eu. NIH syndrome. also they did not cared besides multiple people telling the rulemakers that this will happen.
There's nothing about the gdpr that forced cookie banners for each website. The tech industry could have implemented the requirements differently, but they haven't done that, instead taking the most annoying and obvious route. The closest thing to a technical solution that was widespread is do-not-track, but since it gets thoroughly ignored nowadays, it's worthless. As an example, since the DNT header is a pretty clear signal that you don't want to consent for various tracking, websites wouldn't have to display the consent-form for that and could only use essential cookies (or leave a choice for cookies for other purposes, if there are any). Recital 32: "This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data."

And according to the ico (https://ico.org.uk/for-organisations/guide-to-data-protectio...), the common click-this-button-to-get-through or do annoying things is not valid consent: "You may not rely on silence, inactivity, default settings, pre-ticked boxes or your general terms and conditions, or seek to take advantage of inertia, inattention or default bias in any other way.".

The reason why you don't want a specific technical provision in this law (and almost all laws) is that they get outdated in less than five years. For example, imagine a framework based on http-headers fixed in law. That would've made it (almost) impossible for google to introduce spdy in europe, since it isn't http. Or, more general, the EU initiative to use micro-usb connectors would have made the switch to usb-c impossible, if they were written into law. And that's a comparatively slow moving field, with a very specific applications (charging mobile phones).

That's the intention. Malicious compliance.

"Oh, you want us to tell people we're tracking them as a means to stop us tracking them? nah, lets just make the banner as obnoxious as possible so that they hate the banners- if we all do it, people will overturn the regulation"

Hopefully, people will just start to use site that comply without being malicious. I just close more and more often the page when I see this. The reality is that they need readers/users more than we need them.
This is on purpose. It's done to be as painful as possible while being legal to make the user hate the experience and blame the law, not the implementation.

I'm hoping the EU cracks down on dark pattern implementations, malicious compliance (as another comment mentioned) very likely goes against the spirit of the law. The ad-tech industry is quite powerful so I think this will drag on for a while.

While it drags out, I've been stubborn. Always refusing all cookies when I can't zap the cookie banner/blocker with uBlock. The most pain I can take is setting about 20 toggles. There are some implementations creating hundreds of lines of opt-outs, some where you have to opt-out vendor by vendor on their own website. Those are the ones where I close the page and forget about the content. It's not worth the hassle and my data.

I wasn't such an advocate for data privacy half a decade ago, I was aware about it and how it could be used, just had never seen it, not necessarily in action at the time, but being debated on corridors.

The unethical proposals I heard in meetings or by the coffee machines on how to extract/transform/identify through amassing data were quite alarming. Not because they were blatant bad but that the collective way of talking about it completely disregarded the end user.

GDPR really changed that talk internally, it's been a massive effort and a pain in the ass sometimes but I do value the spirit of it. Could it be the wrong approach? Or too heavy-handed? Misapplied? And so many other still unknown problems? Yes, I do think there are too much uncertainty in how this pans out on the long term. I do deeply appreciate the effort though from the EP and the EU in putting this into the public eye, we should have been having this discussion quite some years ago...

There are still tons of open questions and discussions to be had on data privacy laws, I feel the pain of having an increased workload because of it but it should become cost of business. Protection of your customers' data, its usage and their privacy should be a cost of business for companies depending on that. Level the game, create some mechanisms to help smaller companies be bootstrapped with this mindset and with guidelines and best practices for a quick ramp up.

It can be a cost of business for large enterprises, smaller companies might need help to not be overburden if these laws get too complex.

I don't think I'm too revolutionary.

> There are some implementations creating hundreds of lines of opt-outs, some where you have to opt-out vendor by vendor on their own website.

If I'm not mistaken, if there isn't a big 'Refuse All' (non critical) button on the 1rst dashboard 'page', then that implementation is considered to be illegal by the GDPR ?

The part of GDPR that gets applied here is the general standard for obtaining consent. It's very high-level stuff... So, without very specific case law, it's hard to say. The requirement that it should be as easy to revoke consent as it is to give one certainly resembles your argument.
Yeah. Asking for people for consent before stepping on their rights is so annoying.

We only we could be free to skip asking, right?

Honestly what's more annoying is websites presenting non-EU visitors with consent banners.

I understand doing an IP based geolocation filter might not meet stringent compliance requirements/might be technically involved, but I resent a UX pattern that repeatedly requests my consent for cookies because, ironically, I do a lot of my browsing in incognito mode.

The real problem is that companies insist on doing so much non-essential user tracking.

The intent of GDPR is to reduce this, but companies seems to prefer providing a terrible UX instead of respecting user's privacy.

I would be outraged if I didn't know what cookies were, but since I do, I think it's entirely reasonable, any half modern browser provides a mechanism to allow or disallow, and otherwise manage cookies, and I'd much prefer that we abandon these idiotic "we value your privacy" nag-screens and bars and let it be up to the browser and user settings.

Even the smallest change to the Set-Cookie header could have made it trivial to implement a browser-side UI for this:

Set-Cookie: <cookie-name>=<cookie-value>; Max-Age=<non-zero-digit>; Description=<LANGUAGE:User readable description,...>; Importance=<Required|Recommended|Noncritical>

If people don't want cookies, they can disable them in their browser.

This is still one of the most idiotic laws the EU has made so far.

> I would be outraged if I didn't know what cookies were, but since I do, I think it's entirely reasonable, any half modern browser provides a mechanism to allow or disallow, and otherwise manage cookies…

Unfortunately that mechanism doesn't exist.

> I'd much prefer that we abandon these idiotic "we value your privacy" nag-screens and bars

There's an easy way of fixing this, and that's to just not send the cookies. See basecamp.com or amazon.co.uk (from the UK). No cookie popups, and (respectively) 0 and 3 (seemingly essential) cookies.

> let it be up to the browser and user settings.

That ship has sailed. You now require user consent before you set all but essential cookies https://gdpr.eu/cookies/

> Even the smallest change to the Set-Cookie header could have made it trivial to implement a browser-side UI for this:

Set-Cookie: <cookie-name>=<cookie-value>; Max-Age=<non-zero-digit>; Description=<LANGUAGE:User readable description,...>; Importance=<Required|Recommended|Noncritical>

That ship has, as I said above, sailed.

> If people don't want cookies, they can disable them in their browser.

Ditto. But, seriously, do you know how ridiculous that argument sounds? Don't like people speeding? Don't drive! You are unlikely to be so thick to think that turning cookies off on a web browser will make the web anything other than completely unusable.

> This is still one of the most idiotic laws the EU has made so far.

The butthurt from people about this is amazing. We've had companies playing fast and loose with our data for 20+ years and they had all this time to sort themselves out, and they didn't. They kept on abusing the system to attempt to squeeze out ever more marginal gains from users personal data.

This is on them.