I'd also be interested in an elaboration. It isn't much about the violation of the law itself but the violation of privacy; why do I have linkedin.com, spiceworks.com, techtarget.com, godknowswhat.com suspiciously dumping cookies in my browser?
I think there's some merit to "this site uses cookies to track you as you visit different sites". There's none whatsoever to "this site uses cookies to remember your login information".
The law seems to make no distinction. As a user, I view every cookie notice as pointless and annoying -- obviously you use cookies, and obviously I'm okay with it. If the notice were specifically about cross-site tracking, that would be a meaningful notice, and opting out would make sense. Session cookies, though? You're warning me about session cookies?
If I could set a blanket "I accept cookies" in my browser settings and have those notices all go away,. I would in a heartbeat.
And, in fact, I DO have a blanket "I accept cookies" setting in my browser. Sadly, I'm still forced to manually opt-in on each stupid website.
Ideally, we would distinguish between different "types" of cookies (and I believe the law requires you do this), and we would have settings specifically for these in browsers (which we sort of do in a limited fashion), and we would simply make it a setting defaulted to "ask". show notice only if the user has manually changed the setting from "ask" to "accept" for the types of cookies used on a site. Boom, useful and non-annoying cookie notices.
Until we do that, it's a bad system, and a useless law.
What do you mean by this? The law does make a distinction between essential and nonessential cookies (cookies that are necessary for the function of the website/app, i.e. session cookies, and not necessary, i.e. analytics IDs) and requires you to get consent for nonessential cookies, while allowing essential cookies. If a website doesn't set any nonessential cookies then it doesn't need to ask for consent.
Good point. I'm certainly not an expert on the law -- I did some quick googling, but not a lot.
Session cookies, e.g. are fine. As best I can tell, "remember me" / "remember my email" checkboxes still do require a banner, though I'm not sure. Preference cookies in general seem to. That strikes me as silly.
Facebook's tracking me on thousands of unrelated websites; Wikipedia is remembering that I X'd out the donation banner last week and don't want to be shown it again[0]. These are entirely different use-cases with entirely different privacy implications. As far as I can tell, both require a banner, and while the banner allegedly has (or links to) details about which is occurring, I've never, ever paid enough attention to those banners to see those details.
Part of this mess may be due to the fact that our client software is dominated by the largest advertiser, but I'd prefer regulations that address that by demanding privacy-respecting settings and setting defaults, not by showing me banners that I've never found useful.
I use uBlock Origin and Firefox' tracking protection. I don't use the consent banners. I think most people automatically click "yes" on those, yet given the option to block tracking cookies en masse, would enable that option.
[0] Okay, seems as if Wikipedia ISN'T storing that info, but I wish they did.
The case you describe for Wikipedia would be a functional cookie, not subject to a banner, while Facebook would use a tracking cookie, subject to a banner.
I think that the fact that a lot of websites nag you with endless lists of cookie consent checkboxes, even for functional cookies, is not entirely innocent, and contributes to the idea that cookie notices are terribly annoying and pointless.
Thanks for clarifying. You may be right -- again, I'm far from an expert. The distinction I've seen is essential vs. nonessential. Remembering that I dismissed that banner seems more like non-essential to me. Seems more along the lines of saving my preferred font size. That said, the sources I'm finding about this are maaaybe not the most reliable.
Is there a difference between remembering this "for the current session" vs. "for several weeks"? (The idea of a session is awfully vague given how HTTP works, but seems like one we use anyway.)
> I think that the fact that a lot of websites nag you with endless lists of cookie consent checkboxes, even for functional cookies, is not entirely innocent, and contributes to the idea that cookie notices are terribly annoying and pointless.
One thing I can add is that when I searched for info about the law, I got a bunch of results from cookieyes.com, which told me 1. that I need a cookie banner for any cookies at all and 2. we'll provide you with a cookie banner if you pay us.
So there's definitely some incentives to push unnecessary cookie banners going on. :-)
Those notices also often say "This site uses cookies to make your experience better", so yes, in this sense it's useless. But that's not all the law is doing. Many websites from US simply stopped serving anything for European IP addresses, responding just with error 451, which I always take as a sign that this site wants to sell my data more than they want to show me ads, so I'm glad I didn't accidentally visit it.
it’s actually a sign of a fragmented internet, and brings into question the very idea of an open and free internet.
but alas, if this is what politicians want, this is what we’re getting.
0. But I do, and I make my choice when presented with one.
1. That's still hidden. "read the code" has never been an acceptable answer to how to inform users, and wouldn't even get close to being allowed under the current GDPR or ePrivacy directives.
2. If you want me to pay then you have to tell me how much I have to pay. It's why there are laws on the clear display of prices in restaurants, and that bars in the UK have to have the prices of drinks listed.
If you want me to pay the price to enter your wensite then tell me what that is and let me make he choice.
Over the last 20 years or so companies have been playing fast and loose with people's data, they could have not done that, but the continued, and now this is what they have to deal with. Forgive me if I don't feel sorry for them in the slightest bit
In my opinion, it’s solving the problem at the wrong level. If you, as a government, want to coerce someone into solving this problem, it should be forcing browser vendors to provide more visibility into and control over (especially third-party) cookies.
Instead, we have a banner you have to interact with as the price to visit pretty much any website.
I don’t know, I think the banner is a pain but it is absolutely the responsibility of web developers to allow user choice in tracking. Cookies don’t have to be third-party to be harmful.
If the roads are bad, we need to fix the roads, not just tell everyone to drive better cars.
I mean sure, but technically you already have that choice. It's entirely up to you whether to keep, discard or modify cookies. Your user agent is doing a bad job of managing this for you.
Yes, but in the context of GDPR, which doesn't really go into detail about cookies, "…throughout its’ 88 pages, it only mentions cookies directly once" - https://gdpr.eu/cookies/.
The issue is handling of PII, tracking users and the hoops companies are jumping through to try to trick users into agreeing to allow this. In reality forcing users to select through the myriad of cookies that many sites set isn't practical, and doesn't get round the fact that you still would have to "Receive users’ consent before you use any cookies except strictly necessary cookies."
A better technical solution would be to enforce that web applications respect a client header that specifies the level of cookies the client will allow (see https://gdpr.eu/cookies/).
An even better solution to this would be to stop the invasive tracking and profiling of users that has brought us to this point at all.
A HTTP response may ask the user agent to keep a cookie.
The user agent is free to do so, reject it, or ask the user (as Konqueror did).
It is not the responsibility of everyone responding to HTTP requests to ask to ask “I ask you if I can ask you to keep this cookie”.
Remembering that HTTP is a format of messages being sent between people, it’s clear to me that this law is unwise. Likely written by Eurocrats who don’t understand HTTP.
In principle, yes, but if a browser asks a non-technical user whether they want to accept a cookie called "__Secure-3PAPISID" (an actual Google tracking cookie) with gibberish contents, what are they supposed to say? How can they understand what that means?
It’s true that those who don’t understand what a HTTP cookie is, are unable to make informed decisions about them.
Forcing those who reply to HTTP messages to ask if they can send a header asking if they can save a cookie does not change that - the user who clicks the cookie popup may still now understand what they do.
Many do understand things like private mode though, which is nice.
In this analogy though, browsers really feel more analogous to roads and sites to cars to me, rather than the other way around, being the common infrastructure on which the other operates.
Back in the 90s we had cookie confirmation things. A browser called konqueror even had it on by default. Every time a server tried to set a cookie you got a chance to say no, etc…
For users it was as awful then as the experience is now.
The people who made this law seemed to be under the impression that sites would react by removing cookies. This is naive or plain stupid. Instead what we have now is that every single site has a popup saying "Lorem ipsum" (nobody reads this), and you have to click "fuck off" to get to the content.
I would LIKE to say that all this law does is annoy people. I would like that, but no. Instead what it does is train literally billions of people to click "fuck off" (actual text is usually something like "I agree", but what the user means is "fuck off, I'm trying to read the article"), without reading what the box says.
ACTUAL security problems now, or ACTUAL choices, now cannot be warned about. Because if users were not good at reading actual meaningful warnings before, they sure as hell don't read them now.
So not only is this law (1) not helping, people still have cookies. It's also (2) annoying absolutely everyone every day, with up to four "fuck off" buttons users need to click per page load, and (3) actively hurting via huge externalities, as described above.
Oh, and for extra bonus on a weekly basis I run into websites that chose to simply block users from EU IPs, presumably after a ROI calculation. Thanks, EU.
> Back in the 90s we had cookie confirmation things. A browser called konqueror even had it on by default. Every time a server tried to set a cookie you got a chance to say no, etc…
>
> For users it was as awful then as the experience is now.
Yes, I remember. Back in the 90s you could always choose another browser that didn't do that, and we didn't yet have the rampant data collection and exploitation that we have seen since. Back in the 90s it was a novel thing when $known_company got a website at all. In the intervening years a huge amount of our life and identity has moved online.
> The people who made this law seemed to be under the impression that sites would react by removing cookies. This is naive or plain stupid. Instead what we have now is that every single site has a popup saying "Lorem ipsum" (nobody reads this), and you have to click "fuck off" to get to the content.
Where there is no way of opting out of the data collection I leave, and I have taught my family to do the same.
It is possible to run a website that doesn't use cookie popups. Amazon UK sets 3 essential cookies (i18n prefs and two session cookies) on first page load. https://basecamp.com/ doesn't set any.
> ACTUAL security problems now, or ACTUAL choices, now cannot be warned about. Because if users were not good at reading actual meaningful warnings before, they sure as hell don't read them now.
Sorry, which websites were warning users of potential security issues before? What choices were users being asked to make? I am not sure we were browsing the same web.
> So not only is this law (1) not helping, people still have cookies. It's also (2) annoying absolutely everyone every day, with up to four "fuck off" buttons users need to click per page load, and (3) actively hurting via huge externalities, as described above.
Remember that this law isn't about cookies. It's not a cookie law, it's a law about data privacy and control. Cookies are just one part of it. The law also deals with the safe and appropriate handling of user data, and when a website does pop up a huge hard to use banner that uses dark patterns to get you to click it then it's not the EU being annoying and forcing users through this annoying process, it's forcing websites to effectively tell users that they want to do extra things with their data. It's like forcing bank robbers to dress up in stripey shirts and use bags labelled "SWAG".
Any website that is doing that is basically being forced to wave a big red flag "I AM DOING DODGY THINGS WITH YOUR DATA" when you visit. You can at that point blindly click the "Accept" button if you want, I choose to leave.
The web industry, and avertisers in particular, have had over 20 years to pull their shit together to avoid this, but they didn't, so now we have this.
> Oh, and for extra bonus on a weekly basis I run into websites that chose to simply block users from EU IPs, presumably after a ROI calculation. Thanks, EU.
I've hit very few of those, and to be honest it's not been a particularly big deal. It's also their choice. Don't want to stick to the EU speed limit? Don't drive on the EU roads.
> Sorry, which websites were warning users of potential security issues before?
Not just websites, but applications too. If you had to click "fuck off" to 100 cookie popups today, then when your email client pops up "exe files are dangerous", or your browser says "this website is not secure" you won't even read that, but just press "fuck off, make it happen".
> Any website that is doing that is basically being forced to wave a big red flag "I AM DOING DODGY THINGS WITH YOUR DATA" when you visit.
But since that's every website, it's meaningless. Especially since nobody looks at that red flag because of popup fatigue.
I think you're speculating here. Anyway, I don't think the solution to these problems are to just get out of the way and let companies play fast and loose with our data, it's to continually push them to do better.
Am i speculating that all sites of nontrivial size has a cookie popup (or legally should have)? Or that popup fatigue is a thing?
Could you be more specific?
I'm not saying there's no problem. I'm saying this doesn't even close to address the problem, and it makes everything much worse.
I think it's impossible to enforce this worldwide, and any website can be based in any jurisdiction. The consent popups are also super annoying. It's also hard to define what "essential" means.
I'm personally much more in favor of the technological solution: I block all cookies and only explicitly enable them on websites that I need to log in to.
I would disagree with the idea that it's hard to define what's essential: whatever is essential for the function of a website/app. This means things like session login cookies but not analytics cookies.
That is still not clear. Not everyone need to sign in so it could not be essential. It should ask when you want to login if you want to store a cookie or not.
Yeah, that's why it depends on the function of the website or app. If you need to sign in to access an app, and the session token is saved using a cookie, then it can be considered an essential cookie. But on a marketing website that doesn't have a login component then yes, you're right, logging in isn't required and so it's arguably a nonessential cookie.
An app like Yelp could claim that one of their essential features is to show you restaurants physically close to you, so location information is essential. They could claim that being able to recommend food based on your past searches is part of their core functionality, and that requires saving searches in cookies, or saving them on the server side with a fingerprint on your side.
You could argue that Yelp is only a yellow pages of restaurants and therefore no cookies are essential. Someone else could argue that they are much more than a yellow pages, that if they were only a yellow pages they would not be profitable and cease to exist, and that their core reason of existence is their recommendation engine. To that person, essential functionality would require more things to be stored.
Then there is a regulatory aspect. Some governments may require their companies to install trackers of sorts. Some governments just don't give a damn and let their companies do as they please. GDPR is not a universal law. It's an EU law. Nobody else has to follow it, and there is no way you'll convince every country in especially Asia, Africa, and South America to follow GDPR. A technological solution on the other hand can deal with the entire problem with a single software update, much more effectively than any legal route.
> An app like Yelp could claim that one of their essential features is to show you restaurants physically close to you, so location information is essential.
They could claim that but it would not be relevant in law. The GDPR provides an exception for "strictly necessary" cookies only, as follows:
"This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."
If I didn't explicitly request for Yelp to show me restaurants physically close to me, or to recommend food based on my past searches, then neither of these things are "strictly necessary" as defined by the GDPR and they can't store personal information about me regardless of what they claim.
On a side note I was once able to get a very precise location even with permissions turned off, simply by virtue of 2 devices being on the same Wi-Fi network, the other device having given permissions.
For one they both appear to the outside as the same IPv4 address, and Wi-Fi doesn't travel that far so you can usually presume they are at the same location. There are other ways like having one device hog bandwidth in a slowly modulated fashion, and have the other device pick up on that modulation in streamed data.
This isn't related to the parent comments and I highly doubt any major apps actually implement this but just pointing out that such a side channel attack is possible.
except that -1: there's nothing illegal about not asking for consent when cookies are not related to, in the cookie itself, personally identifiable information.
You don't need permission to set cookies, every server with session management relies on them. You do need permission to set cookie that may leak PII.
This person should try again, but this time actually look at the content of the cookies to see whether their complaint even makes sense.
No, it’s not a PII related issue. You need consent to set nonessential cookies, regardless if they contain PII. An example is Segment, which sets cookies but may not be tied to a particular user. Segment, at least using just for analytics, isn’t necessary for the function of a website or app, so even if the cookies don’t have any PII you still need to get consent.
You’re right that you don’t need permission to set server session cookies, but that is because that cookie is essential for the function of an authenticated app.
No, you don't: GDPR makes zero stipulations about that, and only requires consent if you're dealing with cookies that either contain PII, or themselves act as PII for cross-site tracking purposes.
Sites are entirely free to set as many cookies as they like for any and all "non-essential" site purposes because anything in place to make a website work can be trivially argued in any court to be essential to running that particular business in the most cost effective manner: page metrics, heat maps, front door proxying, A/B testing, optimization etc. are all part of running a business on the web. Whether you as user consider that essential, or what your opinion is on what qualifies as "cost effective" is entirely irrelevant. Will the site work without an analytics cookie, and an optimizely cookie, and a cloudfront cookie, etc. ? Sure. But if a business decides they need a service that needs cookies set to work properly, as long as no PII is involved, that is not GDPR's concern in the slightest.
I've always doubted that all these popups are actually delay the setting of cookies. With so many options, it would be quite an undertaking to actually only embed what people checked.
If they're for technical purposes, not tracking purposes you don't need permission under GDPR at least. I'm going to assume they know what they're doing, at least until I see evidence to the contrary. Benefit of the doubt, innocent until proven guilty, and all that.
“We need these super high tech cookiemotrons to provide you with the best user experience possible. We consider it a technical necessity to meet your need to have your data harvested. You should be thanking us. We would explain further, but you’re too stupid. What are you gonna do? Have us testify before technologically illiterate politicians and fine us 1% of what we pay our CEO?.”
CEO pay seemed to be $356,952 at time of Slack's IPO.
Maximum fine under GDPR is the greater of 4% annual turnover and $23M. Slack's turnover is too small, which means the maximum fine is $23M, nearly 700% of CEO's basic compensation.
Regulations here have teeth; it's not the United States - and it's a good thing for society that they do.
> Regulations here have teeth; it's not the United States - and it's a good thing for society that they do.
sadly, the regulators are yet to show that the GDPR has any teeth. Most recently, the ICO gave British Airways and Marriott significant reductions on fines they raised last year.
£20M and £18.4M are still reasonably sizeable amounts - and given the pandemic has likely impacted BA & Marriott's profits substantially already, I think some sort of adjustment was likely the fair thing to do.
H&M have been fined £32M. This wasn't hugely far off the 4% annual turnover cap.
Compared to the previous Data Protection Act limits, these fines are definitely significant.
Is this trend of using specific legal concepts and somehow applying them to public discourse writ large ever going to end?
To me, I fail to see how "ads.linkedin" is possibly for "technical purposes." Pretty basic common sense and I don't need to apply some 'innocent before proven guilty in a court of law' standard to my own opinion.
One minute wasted watching this and it doesn't even show the contents of those cookies. Without looking at the contents, it's impossible to tell if they are "necessary for site functionality", for which you do not need consent (as you can see in the video, there is no checkbox for that sort of cookies, they are always active).
Slack has no control over those cookies - but it is of course questionable at best that those third-party services are allowed to embed their crap by default. That's not a cookie consent issue though, strictly speaking.
This isn't accurate. Slack has 100% control over the content that goes on their site, and that includes 3rd-party tracking pixels and other mechanisms that lead to these cookies from 3rd parties.
Google bot protection\re-captcha has cookies in google.com and ARE essential. but in the video you have some other stuff. So, at least for google you can't be sure.
Unless there's actually a captcha on that page, they aren't essential. Furthermore, you could argue that recaptcha itself is in breach of the GDPR as it collects a lot more data than necessary (captchas have been done just fine for decades without collecting any personal information).
When placing cookies, the bar to essential is actually really high.
It has to be essential and unavoidable for the delivery of the bytes to the browser, or it has to be essential for the requested functionality.
The UK ICO has some pretty good guidance. I'd not be confident at all arguing that recaptcha is at all essential under PECR, even though it may be a legitimate interest under GDPR. Important to note that PECR/ePrivacy directive actual goes further than GDPR when it comes to the cookie rule, and you can't use legitimate interest as a basis here!
"This means you are unlikely to need consent for:
- load-balancing cookies that ensure the content of your page loads quickly and effectively by distributing the workload across several computers."
You can put a lot of things in this exemption list. I risk to say, even Google Analytics.
> Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
Seems like you can in fact set first-party session tokens without consent. Does not seem like you need a specific reason to do so.
Only if it's needed for giving the user functionality they explicitly request (i.e. after adding something to their basket, they implicitly accept a session cookie that's solely used to hold their basket content). That wouldn't extend to using that cookie for analytics or retargeting though.
So I'd argue it does need to be a specific reason, at least if you follow the ICO guidance (which is probably the best I've found for explaining what's required by the ePrivacy directive)
Don't know about the actual cookies, but I'm pretty sure the "click a simple button to accept all but go through a long and slow process to reject"-pattern is not compliant with GDPR.
Compliant is anything which government do not fine companies for under GDPR. Non-compliant is anything they do. Any other definition isn't relevant in practice. So far I haven't heard of governments fining over this and so it is effectively compliant. So if you have an issue with this behavior complain to your government representatives.
It's not. An update was published to the regulation stating this clearly for those who don't understand what consent means.
The option to accept or reject must be equally prominent, and if there's complications to rejecting, then the consent cannot be considered freely given.
The Cookie AutoDelete extension lets you sidestep these problems completely. You don't need to rely on trust to control your cookies, but a whitelist fully managed by you.
Completely agree. So annoying especially when it take half of mobile device screen
I think with tracking protection in modern browsers it should be absolutely fine to allow websites to store data in any possible way (cookies, local storage, websql etc)
I think many on this site often neglect the reality that soft barriers (having to figure out how to configure your cookie settings) become hard barriers for huge majorities of people.
I'm still hoping we can some day come up with some HTTP header that signals *I know what I'm doing, if you send me cookies I'll keep or discard them as I see fit".
The problem is that the GDPR consent prompts ask for tracking/data processing consent regardless of any technical methods like cookies, local storage or browser fingerprinting.
A browser implementing a cookie consent UI would not fully solve the problem because websites might still want to track you through other means (browser fingerprinting, server-side analytics, etc) and if they want to respect the regulation then they still need to ask for consent.
Well, this would still offload most of it to the browser, and I guess that plenty of websites (especially smaller ones, for which GDPR compliance is likely to be a heavy drag) do not use these other means ?
if gdpr would have used a framework like do-not-track it would have not happend.
but as always in the eu. NIH syndrome. also they did not cared besides multiple people telling the rulemakers that this will happen.
There's nothing about the gdpr that forced cookie banners for each website. The tech industry could have implemented the requirements differently, but they haven't done that, instead taking the most annoying and obvious route. The closest thing to a technical solution that was widespread is do-not-track, but since it gets thoroughly ignored nowadays, it's worthless. As an example, since the DNT header is a pretty clear signal that you don't want to consent for various tracking, websites wouldn't have to display the consent-form for that and could only use essential cookies (or leave a choice for cookies for other purposes, if there are any).
Recital 32:
"This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data."
And according to the ico (https://ico.org.uk/for-organisations/guide-to-data-protectio...), the common click-this-button-to-get-through or do annoying things is not valid consent: "You may not rely on silence, inactivity, default settings, pre-ticked boxes or your general terms and conditions, or seek to take advantage of inertia, inattention or default bias in any other way.".
The reason why you don't want a specific technical provision in this law (and almost all laws) is that they get outdated in less than five years. For example, imagine a framework based on http-headers fixed in law. That would've made it (almost) impossible for google to introduce spdy in europe, since it isn't http. Or, more general, the EU initiative to use micro-usb connectors would have made the switch to usb-c impossible, if they were written into law. And that's a comparatively slow moving field, with a very specific applications (charging mobile phones).
"Oh, you want us to tell people we're tracking them as a means to stop us tracking them? nah, lets just make the banner as obnoxious as possible so that they hate the banners- if we all do it, people will overturn the regulation"
Hopefully, people will just start to use site that comply without being malicious. I just close more and more often the page when I see this. The reality is that they need readers/users more than we need them.
This is on purpose. It's done to be as painful as possible while being legal to make the user hate the experience and blame the law, not the implementation.
I'm hoping the EU cracks down on dark pattern implementations, malicious compliance (as another comment mentioned) very likely goes against the spirit of the law. The ad-tech industry is quite powerful so I think this will drag on for a while.
While it drags out, I've been stubborn. Always refusing all cookies when I can't zap the cookie banner/blocker with uBlock. The most pain I can take is setting about 20 toggles. There are some implementations creating hundreds of lines of opt-outs, some where you have to opt-out vendor by vendor on their own website. Those are the ones where I close the page and forget about the content. It's not worth the hassle and my data.
I wasn't such an advocate for data privacy half a decade ago, I was aware about it and how it could be used, just had never seen it, not necessarily in action at the time, but being debated on corridors.
The unethical proposals I heard in meetings or by the coffee machines on how to extract/transform/identify through amassing data were quite alarming. Not because they were blatant bad but that the collective way of talking about it completely disregarded the end user.
GDPR really changed that talk internally, it's been a massive effort and a pain in the ass sometimes but I do value the spirit of it. Could it be the wrong approach? Or too heavy-handed? Misapplied? And so many other still unknown problems? Yes, I do think there are too much uncertainty in how this pans out on the long term. I do deeply appreciate the effort though from the EP and the EU in putting this into the public eye, we should have been having this discussion quite some years ago...
There are still tons of open questions and discussions to be had on data privacy laws, I feel the pain of having an increased workload because of it but it should become cost of business. Protection of your customers' data, its usage and their privacy should be a cost of business for companies depending on that. Level the game, create some mechanisms to help smaller companies be bootstrapped with this mindset and with guidelines and best practices for a quick ramp up.
It can be a cost of business for large enterprises, smaller companies might need help to not be overburden if these laws get too complex.
> There are some implementations creating hundreds of lines of opt-outs, some where you have to opt-out vendor by vendor on their own website.
If I'm not mistaken, if there isn't a big 'Refuse All' (non critical) button on the 1rst dashboard 'page', then that implementation is considered to be illegal by the GDPR ?
The part of GDPR that gets applied here is the general standard for obtaining consent. It's very high-level stuff... So, without very specific case law, it's hard to say. The requirement that it should be as easy to revoke consent as it is to give one certainly resembles your argument.
Honestly what's more annoying is websites presenting non-EU visitors with consent banners.
I understand doing an IP based geolocation filter might not meet stringent compliance requirements/might be technically involved, but I resent a UX pattern that repeatedly requests my consent for cookies because, ironically, I do a lot of my browsing in incognito mode.
I would be outraged if I didn't know what cookies were, but since I do, I think it's entirely reasonable, any half modern browser provides a mechanism to allow or disallow, and otherwise manage cookies, and I'd much prefer that we abandon these idiotic "we value your privacy" nag-screens and bars and let it be up to the browser and user settings.
Even the smallest change to the Set-Cookie header could have made it trivial to implement a browser-side UI for this:
> I would be outraged if I didn't know what cookies were, but since I do, I think it's entirely reasonable, any half modern browser provides a mechanism to allow or disallow, and otherwise manage cookies…
Unfortunately that mechanism doesn't exist.
> I'd much prefer that we abandon these idiotic "we value your privacy" nag-screens and bars
There's an easy way of fixing this, and that's to just not send the cookies. See basecamp.com or amazon.co.uk (from the UK). No cookie popups, and (respectively) 0 and 3 (seemingly essential) cookies.
> let it be up to the browser and user settings.
That ship has sailed. You now require user consent before you set all but essential cookies https://gdpr.eu/cookies/
> Even the smallest change to the Set-Cookie header could have made it trivial to implement a browser-side UI for this:
> If people don't want cookies, they can disable them in their browser.
Ditto. But, seriously, do you know how ridiculous that argument sounds? Don't like people speeding? Don't drive! You are unlikely to be so thick to think that turning cookies off on a web browser will make the web anything other than completely unusable.
> This is still one of the most idiotic laws the EU has made so far.
The butthurt from people about this is amazing. We've had companies playing fast and loose with our data for 20+ years and they had all this time to sort themselves out, and they didn't. They kept on abusing the system to attempt to squeeze out ever more marginal gains from users personal data.
117 comments
[ 3.4 ms ] story [ 200 ms ] thread(more text here: https://news.ycombinator.com/item?id=25028296)
Most popular user agents just keep all cookies by default, but it’s by no means given.
The law seems to make no distinction. As a user, I view every cookie notice as pointless and annoying -- obviously you use cookies, and obviously I'm okay with it. If the notice were specifically about cross-site tracking, that would be a meaningful notice, and opting out would make sense. Session cookies, though? You're warning me about session cookies?
If I could set a blanket "I accept cookies" in my browser settings and have those notices all go away,. I would in a heartbeat.
And, in fact, I DO have a blanket "I accept cookies" setting in my browser. Sadly, I'm still forced to manually opt-in on each stupid website.
Ideally, we would distinguish between different "types" of cookies (and I believe the law requires you do this), and we would have settings specifically for these in browsers (which we sort of do in a limited fashion), and we would simply make it a setting defaulted to "ask". show notice only if the user has manually changed the setting from "ask" to "accept" for the types of cookies used on a site. Boom, useful and non-annoying cookie notices.
Until we do that, it's a bad system, and a useless law.
What do you mean by this? The law does make a distinction between essential and nonessential cookies (cookies that are necessary for the function of the website/app, i.e. session cookies, and not necessary, i.e. analytics IDs) and requires you to get consent for nonessential cookies, while allowing essential cookies. If a website doesn't set any nonessential cookies then it doesn't need to ask for consent.
Session cookies, e.g. are fine. As best I can tell, "remember me" / "remember my email" checkboxes still do require a banner, though I'm not sure. Preference cookies in general seem to. That strikes me as silly.
Facebook's tracking me on thousands of unrelated websites; Wikipedia is remembering that I X'd out the donation banner last week and don't want to be shown it again[0]. These are entirely different use-cases with entirely different privacy implications. As far as I can tell, both require a banner, and while the banner allegedly has (or links to) details about which is occurring, I've never, ever paid enough attention to those banners to see those details.
Part of this mess may be due to the fact that our client software is dominated by the largest advertiser, but I'd prefer regulations that address that by demanding privacy-respecting settings and setting defaults, not by showing me banners that I've never found useful.
I use uBlock Origin and Firefox' tracking protection. I don't use the consent banners. I think most people automatically click "yes" on those, yet given the option to block tracking cookies en masse, would enable that option.
[0] Okay, seems as if Wikipedia ISN'T storing that info, but I wish they did.
I think that the fact that a lot of websites nag you with endless lists of cookie consent checkboxes, even for functional cookies, is not entirely innocent, and contributes to the idea that cookie notices are terribly annoying and pointless.
Is there a difference between remembering this "for the current session" vs. "for several weeks"? (The idea of a session is awfully vague given how HTTP works, but seems like one we use anyway.)
> I think that the fact that a lot of websites nag you with endless lists of cookie consent checkboxes, even for functional cookies, is not entirely innocent, and contributes to the idea that cookie notices are terribly annoying and pointless.
One thing I can add is that when I searched for info about the law, I got a bunch of results from cookieyes.com, which told me 1. that I need a cookie banner for any cookies at all and 2. we'll provide you with a cookie banner if you pay us.
So there's definitely some incentives to push unnecessary cookie banners going on. :-)
1. it’s not hidden. open dev tools, see what the page does.
2. someone has got to pay. either a subscription or with your data, the salaries need paying once per month.
1. That's still hidden. "read the code" has never been an acceptable answer to how to inform users, and wouldn't even get close to being allowed under the current GDPR or ePrivacy directives.
2. If you want me to pay then you have to tell me how much I have to pay. It's why there are laws on the clear display of prices in restaurants, and that bars in the UK have to have the prices of drinks listed.
If you want me to pay the price to enter your wensite then tell me what that is and let me make he choice.
Over the last 20 years or so companies have been playing fast and loose with people's data, they could have not done that, but the continued, and now this is what they have to deal with. Forgive me if I don't feel sorry for them in the slightest bit
Instead, we have a banner you have to interact with as the price to visit pretty much any website.
If the roads are bad, we need to fix the roads, not just tell everyone to drive better cars.
You can track people with all sorts of other means other than cookies, you would also need to get people's permission to do this.
The issue is handling of PII, tracking users and the hoops companies are jumping through to try to trick users into agreeing to allow this. In reality forcing users to select through the myriad of cookies that many sites set isn't practical, and doesn't get round the fact that you still would have to "Receive users’ consent before you use any cookies except strictly necessary cookies."
A better technical solution would be to enforce that web applications respect a client header that specifies the level of cookies the client will allow (see https://gdpr.eu/cookies/).
An even better solution to this would be to stop the invasive tracking and profiling of users that has brought us to this point at all.
The user agent is free to do so, reject it, or ask the user (as Konqueror did).
It is not the responsibility of everyone responding to HTTP requests to ask to ask “I ask you if I can ask you to keep this cookie”.
Remembering that HTTP is a format of messages being sent between people, it’s clear to me that this law is unwise. Likely written by Eurocrats who don’t understand HTTP.
Forcing those who reply to HTTP messages to ask if they can send a header asking if they can save a cookie does not change that - the user who clicks the cookie popup may still now understand what they do.
Many do understand things like private mode though, which is nice.
Say I have a dress code at my club. You don't have the right to a "meaningful choice" of wearing flip flops and shorts and still enter my property.
I don't have the right to a meaningful choice of bypassing paywall either.
For users it was as awful then as the experience is now.
The people who made this law seemed to be under the impression that sites would react by removing cookies. This is naive or plain stupid. Instead what we have now is that every single site has a popup saying "Lorem ipsum" (nobody reads this), and you have to click "fuck off" to get to the content.
I would LIKE to say that all this law does is annoy people. I would like that, but no. Instead what it does is train literally billions of people to click "fuck off" (actual text is usually something like "I agree", but what the user means is "fuck off, I'm trying to read the article"), without reading what the box says.
ACTUAL security problems now, or ACTUAL choices, now cannot be warned about. Because if users were not good at reading actual meaningful warnings before, they sure as hell don't read them now.
So not only is this law (1) not helping, people still have cookies. It's also (2) annoying absolutely everyone every day, with up to four "fuck off" buttons users need to click per page load, and (3) actively hurting via huge externalities, as described above.
Oh, and for extra bonus on a weekly basis I run into websites that chose to simply block users from EU IPs, presumably after a ROI calculation. Thanks, EU.
Are you in Europe?
Yes, I remember. Back in the 90s you could always choose another browser that didn't do that, and we didn't yet have the rampant data collection and exploitation that we have seen since. Back in the 90s it was a novel thing when $known_company got a website at all. In the intervening years a huge amount of our life and identity has moved online.
> The people who made this law seemed to be under the impression that sites would react by removing cookies. This is naive or plain stupid. Instead what we have now is that every single site has a popup saying "Lorem ipsum" (nobody reads this), and you have to click "fuck off" to get to the content.
Where there is no way of opting out of the data collection I leave, and I have taught my family to do the same.
It is possible to run a website that doesn't use cookie popups. Amazon UK sets 3 essential cookies (i18n prefs and two session cookies) on first page load. https://basecamp.com/ doesn't set any.
> ACTUAL security problems now, or ACTUAL choices, now cannot be warned about. Because if users were not good at reading actual meaningful warnings before, they sure as hell don't read them now.
Sorry, which websites were warning users of potential security issues before? What choices were users being asked to make? I am not sure we were browsing the same web.
> So not only is this law (1) not helping, people still have cookies. It's also (2) annoying absolutely everyone every day, with up to four "fuck off" buttons users need to click per page load, and (3) actively hurting via huge externalities, as described above.
Remember that this law isn't about cookies. It's not a cookie law, it's a law about data privacy and control. Cookies are just one part of it. The law also deals with the safe and appropriate handling of user data, and when a website does pop up a huge hard to use banner that uses dark patterns to get you to click it then it's not the EU being annoying and forcing users through this annoying process, it's forcing websites to effectively tell users that they want to do extra things with their data. It's like forcing bank robbers to dress up in stripey shirts and use bags labelled "SWAG".
Any website that is doing that is basically being forced to wave a big red flag "I AM DOING DODGY THINGS WITH YOUR DATA" when you visit. You can at that point blindly click the "Accept" button if you want, I choose to leave.
The web industry, and avertisers in particular, have had over 20 years to pull their shit together to avoid this, but they didn't, so now we have this.
> Oh, and for extra bonus on a weekly basis I run into websites that chose to simply block users from EU IPs, presumably after a ROI calculation. Thanks, EU.
I've hit very few of those, and to be honest it's not been a particularly big deal. It's also their choice. Don't want to stick to the EU speed limit? Don't drive on the EU roads.
> Are you in Europe?
For now.
Not just websites, but applications too. If you had to click "fuck off" to 100 cookie popups today, then when your email client pops up "exe files are dangerous", or your browser says "this website is not secure" you won't even read that, but just press "fuck off, make it happen".
> Any website that is doing that is basically being forced to wave a big red flag "I AM DOING DODGY THINGS WITH YOUR DATA" when you visit.
But since that's every website, it's meaningless. Especially since nobody looks at that red flag because of popup fatigue.
I'm not saying there's no problem. I'm saying this doesn't even close to address the problem, and it makes everything much worse.
https://www.youtube.com/watch?v=8TvCGWwQr5o
2. Install uBlock Origin (https://www.ublockorigin.com)
0. Don't illegally put nonessential cookies in the browser without the user's consent.
I'm personally much more in favor of the technological solution: I block all cookies and only explicitly enable them on websites that I need to log in to.
An app like Yelp could claim that one of their essential features is to show you restaurants physically close to you, so location information is essential. They could claim that being able to recommend food based on your past searches is part of their core functionality, and that requires saving searches in cookies, or saving them on the server side with a fingerprint on your side.
You could argue that Yelp is only a yellow pages of restaurants and therefore no cookies are essential. Someone else could argue that they are much more than a yellow pages, that if they were only a yellow pages they would not be profitable and cease to exist, and that their core reason of existence is their recommendation engine. To that person, essential functionality would require more things to be stored.
Then there is a regulatory aspect. Some governments may require their companies to install trackers of sorts. Some governments just don't give a damn and let their companies do as they please. GDPR is not a universal law. It's an EU law. Nobody else has to follow it, and there is no way you'll convince every country in especially Asia, Africa, and South America to follow GDPR. A technological solution on the other hand can deal with the entire problem with a single software update, much more effectively than any legal route.
> An app like Yelp could claim that one of their essential features is to show you restaurants physically close to you, so location information is essential.
They could claim that but it would not be relevant in law. The GDPR provides an exception for "strictly necessary" cookies only, as follows:
"This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."
If I didn't explicitly request for Yelp to show me restaurants physically close to me, or to recommend food based on my past searches, then neither of these things are "strictly necessary" as defined by the GDPR and they can't store personal information about me regardless of what they claim.
For one they both appear to the outside as the same IPv4 address, and Wi-Fi doesn't travel that far so you can usually presume they are at the same location. There are other ways like having one device hog bandwidth in a slowly modulated fashion, and have the other device pick up on that modulation in streamed data.
This isn't related to the parent comments and I highly doubt any major apps actually implement this but just pointing out that such a side channel attack is possible.
You don't need permission to set cookies, every server with session management relies on them. You do need permission to set cookie that may leak PII.
This person should try again, but this time actually look at the content of the cookies to see whether their complaint even makes sense.
You’re right that you don’t need permission to set server session cookies, but that is because that cookie is essential for the function of an authenticated app.
Sites are entirely free to set as many cookies as they like for any and all "non-essential" site purposes because anything in place to make a website work can be trivially argued in any court to be essential to running that particular business in the most cost effective manner: page metrics, heat maps, front door proxying, A/B testing, optimization etc. are all part of running a business on the web. Whether you as user consider that essential, or what your opinion is on what qualifies as "cost effective" is entirely irrelevant. Will the site work without an analytics cookie, and an optimizely cookie, and a cloudfront cookie, etc. ? Sure. But if a business decides they need a service that needs cookies set to work properly, as long as no PII is involved, that is not GDPR's concern in the slightest.
Take your privacy into your own hands, why leave it to others to implement. Many won't
Browsers may not have white lists but rather always set cookies, but it is not a given.
For this reason, I wish my government would have rejected the ridiculous cookie law, and GDPR as well.
Slack operates in the EU and has paying customers in the EU. It also likes to take advantage of anti-competition regulations when convenient: https://slack.com/intl/en-in/blog/news/slack-files-eu-compet...
CEO pay seemed to be $356,952 at time of Slack's IPO.
Maximum fine under GDPR is the greater of 4% annual turnover and $23M. Slack's turnover is too small, which means the maximum fine is $23M, nearly 700% of CEO's basic compensation.
Regulations here have teeth; it's not the United States - and it's a good thing for society that they do.
sadly, the regulators are yet to show that the GDPR has any teeth. Most recently, the ICO gave British Airways and Marriott significant reductions on fines they raised last year.
H&M have been fined £32M. This wasn't hugely far off the 4% annual turnover cap.
Compared to the previous Data Protection Act limits, these fines are definitely significant.
Citing the maximum possible fine here does essentially nothing to convince me of that fact.
TIM were fined 2780% of the CEO's base salary recently.
To me, I fail to see how "ads.linkedin" is possibly for "technical purposes." Pretty basic common sense and I don't need to apply some 'innocent before proven guilty in a court of law' standard to my own opinion.
Sorry, I fail to see how Slack has "no control" over the usage of ads.linkedin cookies?
It has to be essential and unavoidable for the delivery of the bytes to the browser, or it has to be essential for the requested functionality.
The UK ICO has some pretty good guidance. I'd not be confident at all arguing that recaptcha is at all essential under PECR, even though it may be a legitimate interest under GDPR. Important to note that PECR/ePrivacy directive actual goes further than GDPR when it comes to the cookie rule, and you can't use legitimate interest as a basis here!
https://ico.org.uk/for-organisations/guide-to-pecr/cookies-a...
"This means you are unlikely to need consent for: - load-balancing cookies that ensure the content of your page loads quickly and effectively by distributing the workload across several computers."
You can put a lot of things in this exemption list. I risk to say, even Google Analytics.
No cookies are 'necessary' to just display information, pics and videos.
> Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
Seems like you can in fact set first-party session tokens without consent. Does not seem like you need a specific reason to do so.
https://ico.org.uk/for-organisations/guide-to-pecr/cookies-a...
So I'd argue it does need to be a specific reason, at least if you follow the ICO guidance (which is probably the best I've found for explaining what's required by the ePrivacy directive)
heck even the confirmation or storing which cookies should be saved needs a fucking cookie.
I have no issues.
There's a difference between a law which is not enforced and a law which a particular entity (but not others) manage to evade.
I merely pointed out that the entity to blame isn't the corporations who follow the law as it is applied but the government who enforces it that way.
The option to accept or reject must be equally prominent, and if there's complications to rejecting, then the consent cannot be considered freely given.
Disclaimer: I'm not a lawyer.
I think with tracking protection in modern browsers it should be absolutely fine to allow websites to store data in any possible way (cookies, local storage, websql etc)
The problem? Websites were not only ignoring it but using it as yet another tracking vector.
A browser implementing a cookie consent UI would not fully solve the problem because websites might still want to track you through other means (browser fingerprinting, server-side analytics, etc) and if they want to respect the regulation then they still need to ask for consent.
Why don't we have any browsers that aggressively deny and block tracking?
Oh right, the ad companies.
This would be like Go-Ahead-And-Try-Track-Me-I-Dare-You.
And according to the ico (https://ico.org.uk/for-organisations/guide-to-data-protectio...), the common click-this-button-to-get-through or do annoying things is not valid consent: "You may not rely on silence, inactivity, default settings, pre-ticked boxes or your general terms and conditions, or seek to take advantage of inertia, inattention or default bias in any other way.".
The reason why you don't want a specific technical provision in this law (and almost all laws) is that they get outdated in less than five years. For example, imagine a framework based on http-headers fixed in law. That would've made it (almost) impossible for google to introduce spdy in europe, since it isn't http. Or, more general, the EU initiative to use micro-usb connectors would have made the switch to usb-c impossible, if they were written into law. And that's a comparatively slow moving field, with a very specific applications (charging mobile phones).
"Oh, you want us to tell people we're tracking them as a means to stop us tracking them? nah, lets just make the banner as obnoxious as possible so that they hate the banners- if we all do it, people will overturn the regulation"
I'm hoping the EU cracks down on dark pattern implementations, malicious compliance (as another comment mentioned) very likely goes against the spirit of the law. The ad-tech industry is quite powerful so I think this will drag on for a while.
While it drags out, I've been stubborn. Always refusing all cookies when I can't zap the cookie banner/blocker with uBlock. The most pain I can take is setting about 20 toggles. There are some implementations creating hundreds of lines of opt-outs, some where you have to opt-out vendor by vendor on their own website. Those are the ones where I close the page and forget about the content. It's not worth the hassle and my data.
I wasn't such an advocate for data privacy half a decade ago, I was aware about it and how it could be used, just had never seen it, not necessarily in action at the time, but being debated on corridors.
The unethical proposals I heard in meetings or by the coffee machines on how to extract/transform/identify through amassing data were quite alarming. Not because they were blatant bad but that the collective way of talking about it completely disregarded the end user.
GDPR really changed that talk internally, it's been a massive effort and a pain in the ass sometimes but I do value the spirit of it. Could it be the wrong approach? Or too heavy-handed? Misapplied? And so many other still unknown problems? Yes, I do think there are too much uncertainty in how this pans out on the long term. I do deeply appreciate the effort though from the EP and the EU in putting this into the public eye, we should have been having this discussion quite some years ago...
There are still tons of open questions and discussions to be had on data privacy laws, I feel the pain of having an increased workload because of it but it should become cost of business. Protection of your customers' data, its usage and their privacy should be a cost of business for companies depending on that. Level the game, create some mechanisms to help smaller companies be bootstrapped with this mindset and with guidelines and best practices for a quick ramp up.
It can be a cost of business for large enterprises, smaller companies might need help to not be overburden if these laws get too complex.
I don't think I'm too revolutionary.
If I'm not mistaken, if there isn't a big 'Refuse All' (non critical) button on the 1rst dashboard 'page', then that implementation is considered to be illegal by the GDPR ?
We only we could be free to skip asking, right?
I understand doing an IP based geolocation filter might not meet stringent compliance requirements/might be technically involved, but I resent a UX pattern that repeatedly requests my consent for cookies because, ironically, I do a lot of my browsing in incognito mode.
The intent of GDPR is to reduce this, but companies seems to prefer providing a terrible UX instead of respecting user's privacy.
Even the smallest change to the Set-Cookie header could have made it trivial to implement a browser-side UI for this:
Set-Cookie: <cookie-name>=<cookie-value>; Max-Age=<non-zero-digit>; Description=<LANGUAGE:User readable description,...>; Importance=<Required|Recommended|Noncritical>
If people don't want cookies, they can disable them in their browser.
This is still one of the most idiotic laws the EU has made so far.
Unfortunately that mechanism doesn't exist.
> I'd much prefer that we abandon these idiotic "we value your privacy" nag-screens and bars
There's an easy way of fixing this, and that's to just not send the cookies. See basecamp.com or amazon.co.uk (from the UK). No cookie popups, and (respectively) 0 and 3 (seemingly essential) cookies.
> let it be up to the browser and user settings.
That ship has sailed. You now require user consent before you set all but essential cookies https://gdpr.eu/cookies/
> Even the smallest change to the Set-Cookie header could have made it trivial to implement a browser-side UI for this:
Set-Cookie: <cookie-name>=<cookie-value>; Max-Age=<non-zero-digit>; Description=<LANGUAGE:User readable description,...>; Importance=<Required|Recommended|Noncritical>
That ship has, as I said above, sailed.
> If people don't want cookies, they can disable them in their browser.
Ditto. But, seriously, do you know how ridiculous that argument sounds? Don't like people speeding? Don't drive! You are unlikely to be so thick to think that turning cookies off on a web browser will make the web anything other than completely unusable.
> This is still one of the most idiotic laws the EU has made so far.
The butthurt from people about this is amazing. We've had companies playing fast and loose with our data for 20+ years and they had all this time to sort themselves out, and they didn't. They kept on abusing the system to attempt to squeeze out ever more marginal gains from users personal data.
This is on them.