A lot of people have the misconception that the EU cookie law applies to all cookies, but as the blog post correctly points out, that just isn't the case.
True. Also even if you do track your visitors you can use privacy friendly (and ideally selfhostable) Analytics like Plausible https://plausible.io/ so you won't need the banners either.
Just don't include facebook like buttons or any of these widgets
You cannot stop that. You can get around it for a while by serving the script yourself and setting a CNAME record for your domain to point to us. That's why we recommend integrating Pirsch into your backend so that it can't be blocked: https://docs.pirsch.io/get-started/backend-integration/
Wouldn't that still violate the law but just be harder to detect from the client? If so, I don't think GitHub (i.e. Microsoft) would find it a compelling approach.
The backend already stored all the information about the users. Why would it violate any laws if it stored a bit more or a bit less info? Things can get tricky if Github exported the collected data to third party for analytics.
part of the GDPR law is the intent of the information you are storing, not the method. Cookie is just a technology. If you track your users using a DB it still applies and you need consent if the tracking is not necessary
See my profile if you want, that was my first comment in hours. I think it is that sort of brake, (prevents heated discussions veing quite so quick-fire) but it's not on the user, it's on everyone for <'5 [or something] minutes ago' comments; drcongo's happened to be '0 minutes ago' when I loaded the page, so I clicked on it to reply.
IANAL!!!! But I think, yes, there are still implications. GDPR makes no distinction about back end and front end AFAIK, it's just about what data you collect and why/purpose.
But note there are other reasons you can have for collecting data other than consent (something often overlooked) - for example I would guess GitHub would log IP addresses in the back end for a limited time for spam fighting reasons, and I think that would be fine.
It would still be a violation because of how you're using it. The law isn't purely about what data you track, it's primarily about what you do with the data.
To my understanding of the GDPR, as soon as you track any identifier that makes those data non-anonymous you still need consent for that. It is not about the cookies per se.
That's not as accurate as throwing around cookies and JavaScript, but I rarely check the log pages anyway, and when I do I'm less interested in raw numbers than I am in the relative performance of various pages. (And that's mostly just idle curiosity, e.g., are there some old articles that keep getting steady traffic from somewhere?)
Looked for a few minutes and couldn't find the full answer. How does Plausible calculate unique users if it can't store some type of identifier on the page?
I see this... "We do not generate any persistent identifiers either. We generate a random string of letters and numbers that is used to calculate unique visitors on a website and we reset this string once per day."
Probably like we do it for pirsch.io, by calculating a hashed fingerprint and throwing away the individual page hits once per day: https://github.com/pirsch-analytics/pirsch
What's the privacy benefit over storing a tracking cookie with expiry of a day? If at all, random cookie seems better for privacy as in your case if someone really wants it, they can recover the IP if the user agent is not rare by searching for all IP(4 billion IPv4), User-Agent(100 for popular browsers), the date(1 day as date is stored separately), and a salt(known to server), easily within reach of anyone.
It doesn't use cookies. Fingerprints are calculated on each page hit.
The salt must be treated like a password to make sure it's not that easy to brute force it and no one should get access to your database of course ;) It's not the strongest anonymization, but good enough considering that the hits will be deleted once a day by batch processing.
> How can Plausible Analytics count unique visitors without cookies?
> So if you don’t use cookies how do you count the number of website visitors and report on metrics such as the number of unique users?
> Instead of tagging users with cookies, we count the number of unique IP addresses that accessed your website. Counting IP addresses is an old-school method that was used before the modern age of JavaScript snippets and tracking cookies.
> Since IP addresses are considered personal data under GDPR, we anonymize them using a one-way cryptographic hash function. This generates a random string of letters and numbers that is used to calculate unique visitor numbers for the day. Old salts are deleted to avoid the possibility of linking visitor information from one day to the next. We never store IP addresses in our database or logs.
...
> In our testing, using IP addresses to count visitors is remarkably accurate when compared to using a cookie. Total unique visitor counts were within 10% error range with IP-based counting usually showing lower numbers.
Don't universities have a huge number of IPs because they were the first to use internet ?
Mine gives one public ipv4 per device that access the internet on the network (with some exceptions). Strategies varies but if you have a lot of addresses why not use them.
A one way hash of an IPv4 address is no more private than the address itself. If you know the has algorithm, you can build a rainbow table of all the hashes in under a second. Even with a random salt it doesn't take long to build a rainbow table with all possible salts.
To an extent, but there are easy ways to cut the search space. For example, you could make a unique request with garbage on it from a known IP every day, and then all you have to do is build a rainbow table for that one IP to find out what the salt is for each day, and then you can fully reconstruct the logs.
Does anyone happen to know of a service like this that is free (not self hosted) for non-commercial, low-traffic sites? Or which costs less than ~$10 per year.
I have a basic Github Pages site, and I currently don't know whether anyone is looking at it, beyond the very few who take the time to email me. I don't need (or want) to know anything about my visitors, but it would be nice to know that I'm not simply tossing stuff into the ether.
Few years back I created some HelloWorld application on Google's AppEngine (requires Java, Python or Go) and was positively surprised about its statistics on theirs dashboard.
I get requests to /wp-login.php (and the like) on my simple Haskell web app hosted on my university's servers. They're quite persistent and I'm not even sure how found the URL to my app in the first place (the format is something like universityname.com/~userid/projectname, and I haven't linked it anywhere).
To be fair, most of them probably do. It's not like the introduction of GDPR in Europe 2 years ago suddenly made all of the shit a marketing dept shoves into Google Tag Manager completely legit and above board.
These third parties will take what you give them and _also_ take what they can get from your browser if you're embedding their script. Are you going to proxy those scripts as well to stop them getting the user's IP address and then geolocating it to grab even more info?
The cookie warning banner is bullshit only in the sense that it achieves nothing. Accept it or deny it, it won't change a thing. Same with the tracking consent popups: despite the law saying they should be opt-in by default, they're still treated as opt-out by default, meaning that all of these sites _still_ collect your data because you're blacklisting individual sites from tracking, as opposed to whitelisting them. You need to set a cookie to say that you don't want tracking and not thousands of cookies to say you do want it?
That's being tracked... it's all wrong. Literally everything you offer as information, or don't offer, is another node in their graph.
Or they treat continuing to use the site as consent. Some of them are really passive-aggressive about it too. I've seen cookie banners with wording like "We use cookies, because duh, who doesn't in 2020? Click here or keep using the site to accept."
Completely at odds with the whole "informed consent" thing.
And then they wonder why we use things like uBlock, which are pretty much the only tools we can rely on to genuinely revoke consent. Or revoke as much of it as possible.
I thought that with the recent changes to PECR they that clarified any non-essential cookie-like technology needs permission, irrespective of whether it's first party or pseudonymous. And additionally that analytics does not count as strictly necessary.
I have nothing directly against cloudflare but I think it would be better to try to support one of the smaller analytics companies if possible. They are the ones who made products that got big companies like cloudflare interested in the space.
https://simpleanalytics.com/
Says this on their homepage:
We don't use cookies or collect any personal data. So no cookie banners, GDPR, CCPA, or PECR to worry about.
Seems like a cool company/project to me.
But, it's not free :(
$19/mo
Still thought it's worth pointing out.
IANAL, but my understanding is that you might still need a consent box even if you use Plausible.
I've only skimmed over the docs, but it looks like they derive a unique identifier from the IP address and user agent which changes every day. IP addresses still count as Personally Identifiable Information under GDPR, so deriving an identifier from this for a use case such as analytics would likely require consent. This is speculation though so I'd be interested to hear what others think.
If it is critical to the operation of the website (functionality like storing saved items in a shopping cart, or security), then you wouldn't need consent.
In reality though, Plausible looks great and using it is a huge improvement over Google Analytics for privacy.
My understanding is that this kind of active consent that we see as popups everywhere on the web nowadays applies to cookies only. So I would assume that if you can track user activity without a cookie you wouldn't need it. It should probably be stated in the privacy policy though.
I'm not an expert in this even though I'm a webdev from the EU, so I'm also interested in other people's input.
GDPR doesn't care if you're accomplishing the tracking with a cookie or using a different mechanism. You're not allowed to do it either way, unless the user has consented.
Since I’m being downvoted: The EU directive that specifically obligates websites to collect informed and active consent for the use of cookies is not GDPR, it’s the ePrivacy Directive.
I don’t believe that one should automatically conclude that just because a cookie requires active consent, any kind of ‘logging’ (local and temporary storage of IPs in order to track website usage) requires active consent. Those are two fundamentally different things.
I’m not saying you should hide the fact that you’re doing it. I’m saying it should be stated in the privacy policy.
Also remember that there is a big difference between ‘personally identifiable information’ and ‘sensitive information’ which are clearly separated concepts in GDPR. Not all collection of data requires active consent.
I did read my EU state’s guideline on GDPR in full, but I’m not an expert. I would suggest reading up on the ePrivacy Directive though, which is still in effect.
Not sure why you're being downvoted, yeah cookies are handled by legislation other than GDPR (ePrivacy as you mentioned).
However regardless of whether you're using cookies, I still think you need to collect explicit consent as GDPR requires a lawful basis of processing, and I don't see how analytics would fall under any of the other lawful basis's other than consent (_maybe_ legitimate interests?)
If you are using cookies, then my understanding is you need to collect consent where necessary under _both_ ePrivacy and GDPR.
> IP addresses still count as Personally Identifiable Information under GDPR, so deriving an identifier from this for a use case such as analytics would likely require consent.
Only if there is a bijection between the identifier and the IP address, so that you could re-derive the IP address from the identifier. Otherwise, I do not see how the identifier itself would count as PII.
This way of divorcing data from PII by replacing it with pseudonymous identifiers which cannot be linked back is a relatively standard technique for this.
No, it applies to every resident in EU and EU citizens all over the world.
Edit: https://gdpr-info.eu/art-3-gdpr/ ("where Member State law applies" and "subjects who are in the Union" [...] "regardless of whether the processing takes place in the Union or not" respectively)
Edit 2: https://gdpr.eu/companies-outside-of-europe/ for more info: "The whole point of the GDPR is to protect data belonging to EU citizens and residents. The law, therefore, applies to organizations that handle such data whether they are EU-based organizations or not, known as “extra-territorial effect.”"
I read that and it said that it applies to data not processed in the EU. I always interpreted that as applying to data centers and such in something like an was availability zone in the US. It said “ the monitoring of their behaviour as far as their behaviour takes place within the Union.” I never thought that applied to EU citizens all over the world. EU citizens living in another jurisdiction would be subject to that jurisdictions laws right? For instance GDPR wouldn’t apply to a Spanish expat that lives in Thailand, as far as I understand it.
Yes, but if you reside in Spain and use a VPN with Thai exit node to access a site in Thailand you are stil residing in the EU and in turn the Thai website needs to comply with GDPR.
Through non compliance can only be enforced if the entity behind the website/app or similar does enter the EU or does business with the EU.
Well, somehow we in EU have to comply with DMCA, which is not an EU law. Every company that _does business in_ EU can get in trouble for not following EU law irrespective where it violated that law.
Sure they can, at least in theory. US citizens have to pay taxes no matter where they reside. Most countries will prosecute certain crimes abroad if those crimes were committed by their citizens or against their citizens or against the state.
The practical question is just if they can get hold of the people acting unlawfully.
And as far as I know there is no ruling that using a VPN or other kind of proxy does make you count as "being in the country of the exit node wrt. actions done through the VPN".
Which means that you can't say a user is not residing in the EU (without a popup asking the user if they are residing there... ;=) ).
On the other hand if there would be such a law it would have kinda interesting consequences.
The GDPR is implemented in British law, that's how these directives work.
Once the UK leaves the EU, they're no longer obliged to keep their implementation of the GDPR. The government can choose to keep their implementation, and in practice keep the same regulations as the GDPR, or they could reduce or remove their privacy protection laws as they see fit.
With London being famous for their camera surveillance, I expect the UK to reduce some if not all of the privacy protections the GDPR brought to the world.
The GDPR is a regulation (hence the R at the end) not a directive.
It became UK law as soon as it was passed by the EU, and it didn't need to be implemented in to UK law.
The UK has already passed their amendments to the GDPR,[0] which will effectively fork it into the "UK GDPR". These will come in to force on the 1st of January.
There's a "Keeling Schedule" available[1], which is effectively a diff between the EU GDPR and the UK GDPR.
It's related to the ePrivacy Directive, which is deeply intertwined with GDPR but a separate piece of legislation. It's not clear whether the GDPR's territorial applicability also holds for ePD. France in particular is drawing a divide between GDPR and ePD, because ePD lets them fine Google directly but GDPR require they mediate through the Irish DPA.
The "cookie law" as part of the ePD is indeed older than the GDPR, but the GDPR kinda supersedes it by including all tracking/data collection not just cookie data collection.
It's also not entirely correct that the GDPR would require going through the Irish DPA or wherever a company in violation has their primary EU presence for tax purposes. True, the GDPR says the nation where a company has the primary presence of business within the EU take lead within the EU should take lead, but the French courts figured out that Google's Irish subsidy is actually not making any decisions, the US parent is, and therefore it's fine for the French watchdog to issue fines skipping Ireland [1].
GDPR does not supercede the ePD. The ePD is, according to its own text, a law that extends the general privacy regulations to certain aspects of internet technology. So in many cases it defers out to the general privacy law in effect.
When ePD was passed, that law was the DPD, Data Privacy Directive. When GDPR was passed, all ePD references to the DPD became references to GDPR instead (this is Article 94 of GDPR). But ePD remains entirely in effect, just with updated references.
Most importantly, ePD requires Consent in certain cases, but defers to DPD/GDPR for what is the definition of consent. GDPR's definition of consent is much more stringent.
In cases where the ePD did not refer out to DPD, it remains unchanged by the passage of GDPR. So, according to CNIL, it does not include the one-stop-shop mechanism. See section "The competence of the CNIL" in the link below:
Except that if the sites don't do annoying things there is no need for annoying popups.
The EU law:
- doesn't require opt-in permission for essential cookies and similar. So basic non-personalized website usage statistics (analytics) do not need a opt-in only if it's tracking people in any way are such opt-ins needed
- if you login you are known to have accepted the terms of service and as such after login no opt-in pop-up is needed either
- is not limited to cookies btw.
All in all this means that for any site not based on ad-revenue they fully can get away without needing any annoying popups, if they don't do some sneaky questionable things.
Even for ad's there are ways to do them without annoying popups, you just need to not track people, tracking the number of times a website was loaded doesn't require annoying popups, just tracking who opened it does.
Similar if you track people only after they clicked on the ad you don't need annoying popups on the site the add is one but only on the site the app navigates to (through only start tracking after opt-in). Which given that many adds try to sell you stuff and buying thinks only requires a account isn't that big of a problem as it might seem.
In the end you can say the only reason there are so many annoying popups is because most companies have not intention to respect the privacy of their users. Actually if you look into it and realize that many popups are not legally conform or borderline illegal it becomes clear that they do not only not respect the users privacy but the users themself.
Through I have to note, that while many (most?) companies can switch to respectable advertisement, some companies can't as easily do so.
> if you login you are known to have accepted the terms of service and as such after login no opt-in pop-up is needed either
Apologies if I've misunderstood your claim here but it seems to me that you are saying you can bury consent to processing inside your legalise.
That doesn't comply with the GDPR as I understand it; the consent must be informed and freely given. Informed in that case is debatable since you are lumping a lot of terms together. You certainly can't claim it's freely given if accepting the terms of service is not optional.
Hm true ToS checkmark is not enough, you need to make the opt-in part clear. But it should be enough to do so when creating a account and for every change. At least if you put a reasonable findable setting page in which allows you to review/change such settings.
But I still believe you can do it once on account creation and then never again if people are logged in and nothing changed.
The thing is, tracking cookies don't annoy me, because I block all cookies anyway (unless it's one of the few sites I need to actually log into), so they can't track me with them.
It's the popups that actually annoy me, especially because they keep on popping up -- ironically they need to store a cookie to remember that the user has accepted/denied, and my cookie-blocking blocks that cookie as well.
I think browsers blocking cookies by default and asking for permission before storing cookies is a better solution to this issue than a GDPR popups all over the web, and leaves far less room for malicious websites to track you in spite of the user denying.
But the EU law is not just about cookies. It's also about e.g. fingerprinting your browser which is very hard to effectively block in practice.
It's a common misconception that it's about cookies. It's about data processing, i.e. tracking. There is a different law then GDPR which is about storing data on user PC's but that is also not about cookies but about any browser storage and more or less got superseded(1) by GDPR.
(1): Ok, that is quite a oversimplification, but most popups are now about GDPR and having them also covers the other law.
As far as I know if you only use the logs for DDoS protection and not for e.g. statistics and only store it as long as you need it for it and then delete it, it _I_ think should be legal without a popup banner, through maybe only if you don't give it to 3rd parties for DDoS protection? I have to look into this again.
The problem is the "only" part(s) ;=)
Oh, and you must reasonable convey that DDoS protection is essential for your service etc. Which if you ever had any (non super small) DDoS attack should be reasonable easy.
But I'm no lawyer and a bit of time passed since I last looked into it, so if I now would need to do a cooperate decision I would look it up again.
I really wonder genuinely if the regulation has improved anything at all. I just click through the banners without even thinking. It has become so annoying. The value I get is below zero. I wonder if the majority is like me.
Yeah, maybe. But not by clever design. The opt-out boxes are usually designed as secondary buttons. The opt-in is designed as primary button. So if you want to change something you have to really think and make a deliberate choice, whereas most people in that moment just want to see the damn content of the site.
That's because the website operators deliberately design the experience to be obnoxious and frustrating.
They want you to have a bad experience if you decide to opt-out of detailed behavioural tracking, so that you'll feel pressured to "consent" to detailed behavioural tracking, and so you'll feel like the GDPR is to blame, even though it isn't.
I've put "consent" in quotes because it's not freely given consent if you are heavily pressured into it, and it's not consent at all if you end up believing you don't really have a choice.
These banners/dialogs do not even comply with the GDPR (despite saying the GDPR requires them), as GDPR says consent to non-essential personal data collection about you must be as easy to withdraw as it is to give, and the service you get must be the same if you don't consent as if you do.
Same here. and I'm on ublock origin and the rest. It's just ghastly, of all the scams (tech support and more) and other misery on the internet, the EU is just absolutely fixated on some of these random things.
The regulation explicitly forbids annoying banners, the problem is that there’s currently zero enforcement of it so websites continue breaching it and lying to themselves (and others) by thinking their consent banners are compliant.
Enforcement is already happening. Multiple confirmed cases of fines being handed out to businesses, organisations etc :-)
More importantly IMO they are also contacting entities up front to tell them about violations and how to get compliant, the fines we have seen yet seems (again IMO) to be only for particularly nasty cases and/or cases where the entities in question refuses to change.
This means the fines we are seeing is just the top of the iceberg: most changes happens underneath the surface and only trickles up in the form of less annoying websites (or fines) little by little.
You have to love how the regulator did not even try to define what they mean by "annoying". Thus making the whole law completely useless.
In my book, any single pixel of my limited screen real estate that gets dedicated to this useless regulation is annoying. If the EU wants to enforce this, they need to provide a way for me to basically say "Yes, I agree with all tracking cookies for all sites forever", and never see a banner again.
That's correct. Using cookies for the user session is fine and does not require consent as long as you really are just using them for the user session. The moment you use them for analytics, you have to request consent for analytics, even if they are primarily for maintaining the user session.
If we're talking about Github, no, I don't think it's a clever hack. I think they've actually ripped out the offending usages.
The reason I find that believable is that their core business is selling a git server with bells and whistles. From Microsoft's perspective, Github doesn't need to be doing any marketing because they kind of are the marketing.
Whether they complied in other ways is irrelevant to whether this case is non-compliant, and the point was about reuse of cookies for analytics, not marketing.
I don’t understand your point. You’re asking whether they’re trying to work a loophole or a clever hack, and I said that I don’t think they are and that I think it’s credible because they don’t have profit motives that would drive them to take that legal risk.
You don't think they do analytics on users based on these cookies session? Because doing that without the consent pop-up is (I claim above) illegal, and so the clever workaround fails.
I would be really, really surprised if Github were the only Bay Area unicorn that lacked a product manager nagging them for more analytics. The fact that they don't need to sell the analytics is irrelevant.
I can't speak for Github, but I can speak for my team in [tech giant]: if I wanted to do analytics on end users I'd have to go through a review to confirm that I would not be violating privacy laws. I literally couldn't query them if I wanted to without jumping through technical hoops with audit processes and paper trails.
I do believe Github is legitimately trying not to use that data for analytics. But whether some PM in there is querying that data for analytics purposes: at that point we're just speculating based on how cynical you or I want to be. I don't think that's a meaningful point.
Also: I'm not saying I don't think they do analytics. I'm saying I don't think they are using users' personal data for analytics. That's an important difference with respect to GDPR.
No, it wouldn't be in the EULA. There are two parts of GDPR that would specifically go against putting consent to tracking in the EULA:
1. GDPR requires the consent check to be somewhere obvious and in plain language. That was specifically to deal with EULA's given to you in tiny legally compliant text boxes.
2. GDPR requires that you cannot make consent for non-essential usages of data mandatory as a condition for providing your services. Tracking only logged-in people for analytics falls into the category of non-essential purposes. That requires explicit consent, even if consent is not required to use the exact same data for authentication checks.
But wouldn't that be asked for at the same time as signing the EULA, i.e. at account creation? If you're avoiding banners, I can't think where else you'd put it.
If a cookie is not necessary (or you are using a necessary cookie for secondary purposes), then you need GDPR-valid consent. This means:
1. Consent must be separate from other terms being agreed to. So consent in the EULA would not be valid.
2. Consent must be an affirmative, unambiguous action. Pre-ticked boxes or bundled consent are not valid.
3. Consent can be revoked at any time. Revoking consent must be as easy as giving it.
So yes, you can ask for it from a user when you're having them agree to the EULA. However you can't have it as part of the EULA, it has to be an optional add-on. And you still need to let people turn it off afterwards.
Not even then - there are plenty of analytics you can do without a cookie banner, as long as they don't identify the user.
Conversely, anything you do other than your obvious business requirements (e.g. if you buy something physical I need some address or identity to verify at pickup) requires consent whether or not it's analytics.
(Not a lawyer, not legal advice, jesus just don't track people...)
> then you still can’t use those cookies for other purposes, like analytics, right?
Yes. It’s not the cookies, it’s what you make the use of them.
The wording even predates GDPR. You could even dispense of the banner if you had DNT set to 1 or 0, since that would count as consent/not consent resp.
Are we claiming that if GitHub has a dashboard like “number of concurrent sessions” and “average length of session” and “unique users who touched this feature” it would be a GDPR violation?
seasion ids are unique? are they personal data if you cannot link them to an individual? count those. let’s say you are paranoid and someone, somewhere can link those random ids to people. So hash those random ids with a key that this someone has no access to. Now you have anonymized ids you can count uniquely and that cannot be linked to individuals.
You can anonymize data if you really want to and use it for understanding trends, usage etc in a privacy respectful way. Few companies bother these days though. And yes if you want a 100% watertight way, it’s hard.
It looks like you can still be tracked as long as you are logged into your Github account? (Or even if you are not logged in as long as only Github/Microsoft is tracking you?)
Another question is how exactly can Github be trusted to not send this tracking to Microsoft? It's not like this is something that we can check... I don't think that the EU is going to send inspectors to Microsoft?
I just checked my cookies on the Github website and had several tracking cookies (including Google Analytics).
Then I realized I should probably clear all the cookies for Github, and start over with a fresh session. So I deleted all cookies that Github had given me (which was 12) and refreshed the page. As expected, I was now logged out and Github immediately issued you me 4 new cookies.
• _gh_sess (a fresh session cookie)
• _octo (not sure what this is, might have something to do with cache-busting? Looks like it contains something resembling a version id/string)
• logged_in (my logged in status, now false)
• tz (my timezone)
All of these are valid cookies (assuming that _octo is for cache busting) that would not require a cookie banner.
So then I logged in. I now have 10 cookies. None of them appear to be tracking cookies.
• __Host-user_session_same_site (14 day session token)
• device_id (this contains a random string to differentiate this device. Initially I was concerned with this, thinking it might be a fingerprint. But it is far too short for that, and it appears to be a flash cookie. It expires as soon as it is issued, so it only lasts one request. This is likely used to improve your experience in the case that you are logged in across multiple devices to differentiate which device is making a request within the current session)
• gh_sess (same as before, session)
• _octo (same as before, presumably cache-busting)
• dotcom_user (contains a string with my github username)
• has_recent_activity (boolean value, likely used to display "unseen notifications" on the front-end)
• logged_in (same as before, except now true)
• tz (same as before, timezone for frontend time displays)
• tz (now have 2 timezone cookies. Both are currently the same timezone, although I assume the first one is a timezone gathered from my system clock and the new one is a timezone gathered from my github settings which they now have since I logged in. This is probably a bug where they expect to overwrite the first one, but since one is set to the github.com domain and the other is set to all github subdomains then it didn't overwrite)
• user_session (yet another session token with 14 day expiration. However the session token in this cookie and the __Host-user_session_same_site cookie are the same. Not sure reason for the duplication)
So those are all the cookies that Github now gives you. 2 of these seem to have duplicates. Meaning the same could be done with 8 cookies instead of 10. But regardless, all cookies seem to check out. None of these are tracking your usage and are there to improve your logged in experience. Tracking things like your username and recent activity boolean are most likely being used to save making the same database queries for every request. The others are just tracking sessions, which is something that users definitely do want. The 14 day expiration is a good middle ground between convenience and security.
At the beginning I mentioned that I had two tracking cookies before I cleared my cookies. These are gone after the refresh. So it looks like github has in fact stopped issuing tracking cookies altogether. They also seem to have removed Google Analytics entirely as I don't see the script on their website at all.
So all-in-all this definitely checks out. I don't see any GDPR violations here or reason to display a cookie banner anymore.
I assume they still have analytics, but the analytics are all happening server-side which provides them basics like pageviews and visitors. And since you have to be logged in to do almost anything in github they don't need cookies to track what you do while logged in, thats all going through their servers and databases anyway.
I know plenty of people here have problems with Github, but I think it is exciting to see a large company like Github (Microsoft) take this step.
> I assume they still have analytics, but the analytics are all happening server-side which provides them basics like pageviews and visitors. And since you have to be logged in to do almost anything in github they don't need cookies to track what you do while logged in, thats all going through their servers and databases anyway.
Considering Microsoft's size, wouldn't this still be a concern, and might even still violate GDPR if they were to use identifiers like IP or Microsoft accounts between their various services ?
For an even more extreme version: see Google or Amazon (AWS).
Yes! If you use cookies for essential functionality (like keeping track of logged in status), you don't have to do anything. No banners, no annoyance for your users.
I dropped all third-party crap from my site way back and haven't ever needed a cookie banner.
It is, because "logged in" is an abstraction - someone has to decide how frequently you have to contact the server before being considered to have "logged out".
a cookie representing authentication session with your app isn't personal data, and doesn't need privacy policy, especially if your login is arbitrary and not an email.
It doesn't matter how long it's active either, unless you use it to track users activity elsewhere
If it's used to determine identity, it's a kind of personal data.
However, as you say, it might be allowed by GDPR without requesting extra approval, depending on the way that it's being used and who it is shared with?
Hence my question about whether the length of time that you store this data legally matters (because since databases can be stolen, it eventually does). Compare with how ISPs must store all your connection logs for a specific amount of time.
a session cookie establishing your authentication session only links you with the account in the system. Now, what other data is attached to that account is another thing. For example, the typical forum of yore would only have to take care of emails at best - if it doesn't have personal data, it's irrelevant, because you can't link that identity with your IRL identity.
Length of time you store the data doesn't matter, except in the sense where you can prove that effectively you do not store it at all - for example by anonymization of logs so that you do not effectively store IP addresses, even if of course they have to exist in full in the system at some point to keep the connection open.
Part of the problem is that when it first passed, the advice was to just add a cookie banner no matter what to be safe, since no one really understood the law and exactly when it did or did not apply.
You are right, and that unfortunately happened because nobody even tried to read the law (which is quite clear regarding this). It's easier to just follow other sheep.
generally they are used to protect against DDOS and to have forensic data in the case there is malicious behavior and are allowed as essential to operating the service.
I can see a need for cookies to mitigate against things like DDoS attacks, session management for paywalled content or just to leave comments on articles, favoriting certain sections. There are several reasons why as a reader you would want the site to be stateful.
Helps separate real traffic from DDoS traffic.
e.g. traffic from someone that also visited the site prior to the start of the DDoS is vastly more likely to be real traffic.
More information is in Opinion 04/2012 on Cookie Consent Exemption of the Article 29 Working Party of the European Commission about Cookie Consent, which elaborates about the topic:
(The §29 WP is now replaced by the European Data Protection Board, but that seems not to have issued any more current Guidelines or Opinions on that matter. Maybe they are waiting for a forthcoming ePrivacy Regulation. Also: IANAL.)
> A lot of people have the misconception that the EU cookie law applies to all cookies, but as the blog post correctly points out, that just isn't the case.
A lot of people also have the misconception that the EU cookie law applies to them, even if they are not in the EU and have no EU physical presence.
It's not about physical presence. It's about whether the EU could do something to punish you. For every big company that is true. For example the EU can force Visa/MasterCard to stop doing business with you.
If you're small enough, then the EU won't bother doing anything.
If you don't even depend on any 3rd party that is vulnerable to EU will then you can fully ignore everything. That can be tricky to achieve though. No common money transfer methods and you must be self-hosting.
Also, all of this isn't new. The US has been enforcing its will globally in a similar fashion for a long time.
People get scared of lawsuits, especially if they're from a very litigious country like the EU. Companies lobbied against the law hard, spreading the idea that any visitor of your website could sue you for millions because you sent a cookie header. Reality is much less scary for most decent people.
Technically, the law applies to everyone worldwide, regardless of location. However, if you have no business in the EU and don't plan to expand your current business operations to the EU, you don't need to worry.
Hell, if you don't meet the requirements, the relevant enforcement departments generally give you plenty time to implement the necessary requirements or block access if you're a dick. The exception, of course, is data brokers and huge companies like Facebook or Google where the impact is much larger.
The GDPR doesn't expose you to lawsuits from anyone but the privacy monitoring instances of EU member states. The average American blog or news site isn't nearly large enough for any government instance to start a lawsuit.
You can also ask yourself: so what if they fine my company a €10.000. They're not going to send a team of special forces over the Atlantic or through Russia just to extract the cash from you. You only need to pay the fine if your company ever needs to do business in the EU. If your company structure makes your personally liable, this also impacts your future holiday destination decisions, but you can live perfectly fine without seeing the Eiffel tower.
A lot of very similar laws are also being passed in California right now, which will probably be a lot more dangerous than any GDPR restriction, but if you follow the GDPR you're pretty much set to protect yourself from Californian lawsuits as well.
Most of the GDPR is just "don't be a dick with people's data". If the fear of not meeting requirements stops the free-for-all data exchange market, then I'm perfectly fine with that.
The GDPR applies to anyone anywhere processing personal information (such as IP addresses) of people inside the EU (both EU and non-EU residents).
That doesn't mean that you're necessarily at risk of any lawsuits or effective action, but what you're stating is wrong. Physical presence has nothing to do with it.
As a corporation, of any size, you are not beholden to laws made in other countries, unless you do business in that country or have a presence of some kind in that country.
With exception of large, international organizations, that doesn't apply to nearly all business outside the EU.
No, it absolutely does not "[apply] to anyone anywhere processing personal information of people inside the EU." I don't know why people keep saying this, I have no idea where this misconception came from.
>Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.
Recital 23 of the GDPR provides some more information about when an organisation would be considered as targeting users in the EU:
"In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union."
The EU can say this all they want, but the reality is it has zero teeth for any organization conducting business outside the EU, with no actual presence in the EU.
EU laws simply do not apply to the world, even if the EU thinks they should.
> The EU can say this all they want, but the reality is it has zero teeth for any organization conducting business outside the EU, with no actual presence in the EU.
Perhaps not, but the EU is the world's second-largest economy (only $2tn behind the US and $4tn ahead of China) accounting for about 1/5th of the global economy.
If one wants to operate a company that does international business, one will probably want to do business in the EU, which means following EU law in such matters.
Well, it's a reasonable misconception to have, banners don't usually explain everything, they mostly say "hey, we use cookies", and not "hey, we use non-essential cookies".
Finally someone who knows this! Even (some) "SEO advice" blogs have suggested to just use local storage instead of cookies.
Just no.
Both the e-privacy directive and the GDPR are very broad in their articulation and never mention specific technique's, technologies or anything like that. A good example is gdpr article 32.
Fun fact: the e privacy directive (which defines the cookie rules) isn't actually passed yet and technically you don't need cookie banners how they are now. Purely informational banners would be enough, but the directive already _should_ have passed but was delayed, and since gdpr spooked everyone, everything and everyone is using cookie banners now anyway
>Fun fact: the e privacy directive (which defines the cookie rules) isn't actually passed yet and technically you don't need cookie banners how they are now. Purely informational banners would be enough, but the directive already _should_ have passed but was delayed, and since gdpr spooked everyone, everything and everyone is using cookie banners now anyway
The ePrivacy Directive passed in 2002. It was amended in 2009 to include the cookie rule. The ePrivacy Regulation which would codify cookie requirements as an EU-wide regulation has not passed yet.
You're confusing the upcoming ePrivacy regulation with the existing ePrivacy directive - one that's been in force for 18 years.
Just like people thought that the data protection was a new concept when the GDPR was created, ignoring the fact that the Data Protection Directive had been around for decades.
Right, what I meant is that only using essential cookies should be the default web development practice. Instead the default these days seems to be websites that are positively larded with third-party scripts, analytics tools, and other crap.
If they've gotten rid of 3rd party analytics, does this mean they're just using their own? Presumably session cookies count as "required", and could be used to track your actions at least on github.com.
Sure, but considering GitHub doesn't have advertising[1], and they're not sending it to a third party (like Google, who does), it's very hard to imagine any use for first party "tracking" that might harm you.
Presumably the most they're using this for is recommending potentially interesting repos to you.
[1] Potential concern would be if "Microsoft" was considered "their own", since Bing does have an ad network. But my guess is between still having separate accounts and being treated as separate companies, that is not the case here... yet.
Remember that they have LinkedIn as well, and quite possibly could put together a fascinating view of software job profiles, candidates, and repo language/activity to gain value entirely within their own organization. Something like LinkedIn recruitment recommendations improved with GitHub contribution activity might be a fascinating recruitment product: ads are not the only way to gain value.
Yeah, I think my comment is still applicable as is: The risk here is entirely dependent on whether or not "first party" means "GitHub" or means "Microsoft and it's various properties".
My guess is that, at least, for now, it refers to GitHub, as you agree to GitHub's Terms of Service, which doesn't actually mention Microsoft as a party.
What matters is the purposes that the cookies are used for, not how many there are or which service set it.
A session cookie that is also used for tracking would qualify as both a functional and a tracking cookie, and thus generally be illegal (since you can't consent to the tracking if it's under the threat of being unable to use the service).
I presume this is indeed what they're doing given the wording of the post:
"(And of course GitHub still does not use any cookies to display ads, or track you across other sites.)"
That exactly leaves out "track you on our own site". But honestly, I have absolutely zero issue with them tracking my behavior on their own site. I know how valuable it is to be able to learn/see what users are doing, and they should absolutely be able to do that.
Tracking individual behaviour on their own site without notification is still illegal under the GDPR, so no, they should not absolutely be able to do that.
The GDPR isn't about "3rd party analytics". It's about collection of personal data as qualified by the purpose of that collection, regardless of who collects it.
You can still do analytics client side without the use of cookies. You just lack the view of a user and a session sice the cookie holds the primary key used to tie events into a session. You are basically just dispatching page views and events. Your reports will not look great but it's possible and probably will be a nice complement to a server side analytics solution.
I assume that means a lower ad revenue and lower quality analytics. I wager they did a study and found the benefits of removing the dialogs outweigh the costs.
Cookie dialogs are indeed horrible and out of control. Good on them for making the jump. But I doubt many others can justify the cost associated with the change. We need a better solution that gives users choice but reduce the friction caused by annoying prompts.
This is great! GitHub continues to, somehow, surprise me.
One question I do have, however, is whether or not the new homepage[0] which shows where people are when they open a PR actually reveals their present location. In the few samples I checked it did not seem that the presence of the person indicated matched their bio's location settings. If it is truly unmasking people's location I think it should be opt-in only, since it is private information. An employer or state may have issues with someone opening a PR from a specific country at a specific time, for example.
[0] It may be required to open this in an incognito browser.
I spot-tested a three of them and for each one I tested, it matched the information from the user's GitHub profile.
The users might not know it's being used for marketing on the home page, but it seems to be (again, just spot-tested) information that they provided for their /public/ profile.
Edit: NEVERMIND! Just checked a fourth and code from someone with "United States" in their profile showed as coming from Minneapolis.
If anyone wants to do any further analytics on it, it's easy enough to pull PRs and lat/lon from that.
It does look like lat/lon might be a fixed value for each city (from spot checking a couple). If it's not, that would be surprising and a pretty egregious leak of user info.
I'm an American that's currently in Europe, and I recently downloaded a mobile ad-blocker for the purpose of blocking cookie popups. I was already blocking most tracking at the DNS level, so this was mostly for cosmetic purposes. Blocking consent banners has made browsing the mobile web so much more pleasant.
Can anyone familiar with the topic explain what distinguishes essential from non-essential cookies?
GitHub gives the example of "those used by third-party analytics, tracking, and advertising services", but curious if the law defines some sort of bright line here.
I can guarantee that you could throw a rock in your city’s business district and hit a lawyer that is in the process of doing incredible mental acrobatics to wrangle Google Analytics to be an “essential part of the offering”.
I work a lot with GDPR and making sites compliant, and some agency's do in fact tell this to their customers. I suspect it's to sell their Services for cheaper.
Luckily where I work we are pretty serious about this stuff. Since one of our main revenue's is Data protection consulting, anything else would be idiotic anyway
I believe it is generally untested in law whether third-party Analytics count as "legitimate interest" (direct consent not required) in EU GDPR, which is why cookie banners talk a lot about "legitimate interest" now.
Authentication and authorization cookies seem pretty essential for any website that has accounts. If you block those cookies the website stops working -- they're essential.
If you block ad networks and analytics the site functions just fine -- they're not essential.
Beyond that there's probably some sort of "need to know" test to prevent convoluted fake dependencies.
They are not really, really essential. No cookie is essential. A long, long time ago I worked with a web system that kept session info in a URL parameter, and carried it over all the links. I think it was a C# website, but I'm not sure.
I love those systems. Especially when the unwary users share links, accidentally letting other users into the site as them. Or when google indexes it, and in addition to terrible security, the site uses regular GET links to perform site actions, so google deletes the user's content or buys a bunch of stuff as them while walking the links it finds as it indexes in beyond the user's initial account bearing link.
Yes. Some sites operating like that eventually tried to work around this issue by tying it to the IP, but you can see how that is hopelessly broken anyway.
> You won't be able to distinguish device sessions from one another reliably neither. Think of "log out all other devices".
You could, I think. Passing the session ID in the URL is the same as storing it as a cookie. You can invalidate both in the server.
Link sharing is an issue, for sure. You could tie the session id to the IP, but that doesn't work when people share their IP, which is more and more common every day. IP tied session would work better with IPv6, though.
Yes ASP.NET allows (allowed? Haven’t used it in years) cookieless sessions this way. The problem is it has to rewrite all the relative links on the page to ensure session state is not lost.
The problem is it’s makes urls horribly unwieldy if a user wants to bookmark or paste in links from emails etc etc, or writing JS to interact with links, not to mention the security issues of being able to accidentally share your session.
The website at my college we used to register for classes and some other stuff used this method. For whatever reason though, the logic was wonky, and the site would give an error if you used the "back" button in the browser, and you'd have to go back to the home page.
In WAP times there was no such feature as cookies available.
I started programming by writing WML pages instead of HTML. Good memories from those times!
Implementing session handling as URL parameters makes no difference from a legal perspective. It will be covered by the law excatly the same as if one used cookies.
It's the tracking the law is about, not the implementation of it.
Your just picking a worse technical solution for no legal gain.
Those were great. I hung around a forum around 2004 where someone posted a link to jeans he just bought from a smallish online store - the URL contained the PHP session identifier. Thousands of people had instant access to his address + bank information + purchase history, and could place orders for him.
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
There isn't an obvious bright line, and that's probably intentional.
This is not legal language or legal advice, but the gist of it is "if you don't have it, can your website still do what it claims to do?"
For a site like Github, if you can't use cookies to maintain session state, you'd have trouble implementing login sessions, so that's pretty squarely on the essential side of the fence.
But moving into murkier territory, how about logging the IP addresses you signed in from? If you're using it to detect new login locations or new devices as a security alerting thing, then I think you can make a strong enough claim that this is essential. (Again, not a lawyer, this is not legal advice.)
What if a PM wants to look in these logs for how many unique users show up in each country? That's pretty squarely on the side of analytics, and is probably not essential.
But... muddying the waters more, what about if an engineer wants to query unique users to figure out how many more racks of servers to buy? I have no idea. I'd be asking a lawyer.
- Security stuff (auth tokens and similar) are generally essential (if only used for that purpose).
- Any form of tracking people is generally non-essential.
What you can and can't do is not based on technical implementation details but practical usage of the information!!
The tricky part if when both overlap, i.e. if you track people but only for assuring a secure operation, i.e. you don't use the tracking information for anything besides their main purpose of assuring secure operation.
A lot (all?) of systems which provide such security specific tracking do not strictly limit their usage, access and collection of information and as such are also used for non-essential purposes and in turn need opt-in.
But then sometimes companies try to abuse it and will do do until taken to court.
For example Facebook argued that people use Facebook with the (main) intend to get customized ads and as such tracking them is essential for Facebooks service. As you can guess this argument is completely ridiculous especially given that they also track users which don't use Facebook, but if you are the size of Facebook you can try to bring that to court and maybe gain a bit more time before you need to comply.
There is no direct language about cookies in article 5(3) of the ePrivacy Directive. What we have is Opinion 04/2012 on Cookie Consent Exemption of the Article 29 Working Group of the European Commission about Cookie Consent, which elaborates about the topic:
(The §29 WG is now replaced by the European Data Protection Board, but that seems not to have issued any more current Guidelines or Opinions on that matter. Also: IANAL.)
Nat's right: this IS a no brainer. SourceHut hasn't had any non-essential cookies since day one. If you're reading this, Nat - how about removing third-party resources entirely from your pages next?
Why, and which third-party resources are you referring to? Looking at uBlock Origin in a GitHub PR page now, I see the following domains:
- github.com
- githubusercontent.com, DNS pointing at github.map.fastly.net
- githubapp.com
- githubassets.com
All these are GitHub-owned, so from a privacy / customer relationship standpoint it looks fine (except github.map.fastly.net , which is probably for CDN purposes), isn't it? I mean: there is zero googleanalytics / zendesk / tracking saas nonsense here. Or are you making this point from a performance standpoint?
By the way, I haven't used SourceHut yet, but thanks a lot for your opensource work.
github.blog loads third-party content from Google and Wordpress. GitHub proper also has first-party analytics scripts, which disregards Do-Not-Track and shouldn't be there at all.
Great move! Now that some big sites like Github curb their use of invasive third-party analytics I hope more will follow suit. For Github it's probably easy to do this as they can extract a lot of insights from the actions their users perform on the site that are visible in their backend, so they probably don't need event-based analytics so much.
I just block cookie banners with a combination of custom JS/CSS and uBlock Origin. I hate those abominations.
Ironically, these sites need to use additional cookies to remember that you clicked away the banner, and part of the problem is I also blanket block all cookies on sites that I don't need to log into, so they don't get to "remember" anything.
I hate the standard wording on Cookie banners. Most of them should read:
"The site uses cookies. Actually it doesn't - you are not logged on and we don't need to maintain state. But our advertising partners, their partners, and their partner's partners all love to set tracking cookies. Click here to consent to three dozen cookies from around the globe."
“And we would rather not have this crap but nobody pays for content are there only two types of ad networks: privacy preserving and paying so we’re stuck. Please call your congressperson to complain [here].”
I'm confused.... AFAIK the biggest ad company, Google, doesn't share your private info. It's not in their interest to do so. Instead they keep it to themselves and then offer ads by categories so as a 3rd party I can say "Please target this ad at 'video game players'" but I can't ask "give me the names of video game players"
Why not just let browsers controls who sets what cookies?
I'm tired the endless cookie popups, can we come up with an "allow cookies if the browser accepts them" standard as long as that guarantees no cookie popups?
Then browser vendors can ship a delete all non same origin cookies on tab close or something.
This is (mostly) based on EU law; entities that set cookies and track user data are required to get opt-in permission from users before doing so, and if the user declines, the entity cannot offer a degraded service.
At least that's the idea. In practice, almost everyone just throws up a banner that says "fuck you, we're selling your data as hard and as fast as we can," with no opt-out available, but they pretend that this is compliant with the law.
What keeps back Mozilla to implement this setting and lobby for a general Web API for expressing cookie consent? As far as I can tell, their users would be extremely happy about that.
Because it won't take off. Right now, the advertisers are basically hoping for you to be too lazy to click around ten minutes to find the 'no'-option. If every user would be presented with a fairly weighted chance once, hardly anyone would click yes. Accepting this standard would undermine their business even more.
It can, first iteration used the Do-not-track header, but that died in the standardization process, now there are a movement for the Global Privacy Control header that you can read about here: https://globalprivacycontrol.org/
The new one I'm seening is you opt out easily enough, but there's a subtly hidden tab called 'legitimate interest' and every ad network claims to have a legitimate interest in harvesting your data, even though you've got no business relationship with them.
What should be happening is every company that's done that should be getting massive fines, but instead all the enforcement agencies are doing nothing.
If a company is going to lie or skirt the law about their cookie use, why show the banner at all? It's almost worse to show a decline option that does nothing.
Malicious compliance is still compliance. Somebody being told "Please watch the pressure gauge." and then staring at it as it goes outside of safe regions is doing exactly what they were asked to do. This is blatant noncompliance with the thinnest veneer of respectability.
Yeah, people should start reporting these sleazy sites to their authorities if in the EU. I'm hoping that GPDR enforcement will eventually get up to speed.
Except that those authorities are often stripped of resources toothless organizations often made to serve as digital potemkin villages to the public, everyone knows this and can't be bothered one second of their life to be wasted on that bs.
I typed "cnil fines" (the CNIL being the French data watchdog) on google which led me to their sanction page [0] which features 100M€ fines to Google and 35M€ to Amazon _last week_. It is surely not much in the grand scheme of thing but surely this is more than a mere Potemkin village.
I typed "UK data watchdog" (for I did not know its name) and while it is true that I needed more clicks than for France, I found their enforcement page with their list of fines [0]: £18m here, £2m there...
They also had a massive budget shortfall which meant they sent out what amounted to a protection racket letters demanding £40 per year from every UK business, even though almost none of those businesses should be paying it.
All this while simultaneously investigating the ad industry, finding it is egregiously breaking the law, but then doing nothing about it.
The UK's ICO is taking an extremely broad definition of who should be paying it, but an extremely narrow definition of who it should enforce against.
I might add that the £40 it is demanding is almost 3 times the normal £15 yearly fee for running a business in the UK.
That's true, but I wish they spread their reach wider. These fines to Google/Amazon/Facebook make the news, but are just a slap on the wrist to these giants. What would work much better is a wider campaign of smaller fines, so that everybody in the sleazy business would know or heard of someone who was fined.
Legitimate interest exists, and we use it at work. But because I work in the field of security, and for the sake of our infrastucture, we log specific informations and might drop a mandatory cookie at a time.
Everything outside that field cannot, I guess, be considered as legitimate interest.
The absolutely funniest interpretation of ”legitimate interest” is in a recurring spam message I get from (of all things) an email lead marketing company.
They have small print after each of their emails that says that GDPR allows them to email me because they believe I might be legitimately interested in purchasing their services.
It's not really about cookies but more about non-essential information gathering, of which tracking is a part, and some forms of tracking use cookies. So basically, three levels deep before we go from the law to cookies. Then again, people have an easier time talking about 'cookie popups' instead of 'information harvesting', which sadly hides the real issue.
Does this mean that sites that offer free but ad-supported content still have to offer that content? So I can watch those free Youtube movies and listen to those Spotify tracks ad-free because EU Law says fuck you.
How is this fair?
Edit: Okay, okay, non-targeted (and no 3rd party) ads are okay, got it xD
You can display ads just fine without using cookies. You just can’t track people across the web.
Also Spotify can easily require a free login and associate everything with that, no tracking cookies required. They just can’t associate your playlist with your web browsing habits.
No, it just means those ad-supported sites cannot use cookies to spy on you in the name of personalized ads. They are still free to display "generic" ads including content-related ads. Same as old school TV, radio and print ads really, which couldn't track me either but sustained those broadcasting companies and publishers well enough.
Billboards, newsletter ads, flyers etc won't track whether you look at them as well, and last time I checked print advertisement still kinda sold.
Tracking is not necessary to show ads. Certainly there are business models which depend on this, but hey who says our society benefits from those? Targeted advertisement and free informed democracies don't mix well IMO.
Especially ironically, Facebook has been taking out newspaper ads to whine about how it needs targeted advertising to survive, and how mean Apple is harming them.
Once, and only once, since GDPR was implemented, I found a banner that was actually compliant with the GDPR. It defaults to allowing only necessary cookies, requires affirmative consent before any other cookies are used, and makes rejection of tracking have no additional steps compared to accepting tracking. Every other banner I have seen will violate those in some way, either saying that continued use of the site constitutes acceptance, or requiring unchecking of several boxes before clicking accept, or requiring going to dozens of affiliate websites in order to search out and disable tracking settings there.
As in, this is the first GDPR banner I've seen that is actually legal under the GDPR.
My favorite of the week: Doordash. Doordash does not use two-factor authentication, except for one thing: opting out of having your data sold. For that, it sends an SMS message to your phone. Since I signed up for them using a landline, the SMS message is lost.
Its a shame the EU became laser focused on cookies, which can be managed technically by browser settings, and not on dark patterns like these. Or how US consumers complain about being able to subscribe to a service via the web but must call a customer service person to cancel, often with a lengthy wait, dropped calls, and being transferred to a sometimes rude 'retention specialist.'
There's so much more pressing than just cookies imo.
Contrary to popular belief, GDPR has nothing to do with cookies and isn't even about the web specifically. It is - as it says right in the name - a General Data Protection Regulation.
Oh man this makes my blood boil, another reason ill never thouch MS again is they they removed the cancel xbox live subscription button for NZ subscribers and I assume other locales where they didnt have some law forbidding it, the feature to cancel was there but they decided if they could to hold you hostage and made you call and waste lots of time via as painfull process as possible to cancel
> 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
This if from article 7 of the GDPR [0]. Clearly the situation described involves a much harder time withdrawing consent than giving it - which goes against the law.
I may have misunderstood what you meant but how is this being laser focused on cookies? This articles applies beyond the Internet anyway.
Sad but true, i wish there was some way to change the current state of affairs, but EU is a juggernaut that has lost track of its citizens wishes regarding cookies.
One of the most precious things we have is time and the constant cookie interruptions are a nuisance that should be kept from sight.
Practically there is only one browser, Chrome. And we know that it's not in Googles interest to do any of that. They are actively fighting and diluting tools and techniques that would prevent tracking.
This is where we were before the GDPR. You can order your browser not to accept any cookies. But since you need atleast one cookie (or other way of persisting data on the client) for stateful http connections the burden to sort out the bad ones is on the consumer. This is exactly what the legislation wanted to prevent.
I feel that browsers should implement a permissions grant pop-up for when a site attempts to set a cookie with SameSite=none, and the cookie api can be extended to enable explanations to be given by the developer.
This essentially moved the banner into the browser, and will make will make ad networks tell websites to not use SameSite=none, but use SameSite cookies and tell those ad networks behind the scenes. There are plenty of ads now already that are seemingly first party hosted (and go as far as transmitting the ad content through e.g. websockets to avoid adblocker detection).
I would like to store a cookie or a client-side cert to remain logged in, but not the other cr. Granted, they could use that cookie to track me, but this is what GDPR is about.
IIRC, Internet explorer used to ask you for each cookie, circa 2000. These pop-ups became more and more common with time. The web would be unusable with those nowadays.
> Then browser vendors can ship a delete all non same origin cookies on tab close or something.
That doesn't prevent Facebook or Twitter or advertisers in general from tracking you across dozens of pages or more, it just means that they'll have to issue you a new cookie each session.
1. A law that aims to prevent stealing should be deterring thieves, not just regulating padlocks.
2. Technical measures are insufficient because cookies are regulated by purpose. A third-party cookie for fraud detection is allowed; a first-party cookie for analytics requires consent. It also prevents using necessary cookies for secondary purposes, something that literally cannot be accomplished through technical means alone.
As a minor point, the so-called "cookie law" also regulates browser fingerprinting. I have a hard time imagining that you could legislatively mandate effective anti-fingerprinting approaches.
The reason you are provided many free services is because you ARE tracked / analyzed and marketed to. That is the CORE of the business. The popup will say, do you accept this cookie and being tracked to use this free service. Everyone literally clicks yes. I can't believe the billions of wasted clicks and manhours that have gone into this charade.
> Why not just let browsers controls who sets what cookies?
Because it doesn't have anything to do with cookies. You don't need a banner if you use CSRF cookies, you don't need a banner if you use them for stuff like CloudFlare's anti-DDoS script, and you certainly don't need a banner if your site requires cookies for basic functionality like logging in.
The browser can't possibly tell what the server is doing with its cookies. It might even be using a single cookie as CSRF protection and ad tracking at the same time.
TZ/lang preferences do not require consent, a CSRF token for a logged in user seems to me to be legitimate interest too, but I suppose you could see it as an identifier that can be linked back to the user. I still think if you're using it just for security purposes it counts, but the fact that the same identifier could be used for tracking based on differences on the backend is one of the reasons why this isn't just based on browser cookie settings.
well it's legal to create a hash and save it inside a database to count unique users. if the hash is not connected to any info that would identify a user (btw. user agent is some kind of identifing stuff) it is fine.
what I wanted to say is that cookies are not illegal by gdpr means and gdpr does not make a lot of stuff illegal, it's just that SAVING personal information or information that could identify somebody needs explicit permission.
edit:
another thing ip addresses, by german law you are required to save it, when a user can register on your site and your site allows users to submit data. because authorities force you to give them out when a user did something illegal. (§ 7 Abs.1 Satz1 Nr.4 TKÜV, https://www.gesetze-im-internet.de/tk_v_2005/__7.html) In germany it's basically: fuck the privacy if they harmed our law! or at least you need a way to "activate" saving ip addresses.
How do you create the hash? If it's based on something that you can derive from the user (let's say sha1(IP address + User Agent), that seems pretty clearly identifying. If you generate a random identifier but save that identifier in their cookies and send it back next time, also pretty clearly identifying.
> How do you create the hash? If it's based on something that you can derive from the user (let's say sha1(IP address + User Agent), that seems pretty clearly identifying.
of course that is forbidden.
and that's exactly why it is really hard to tell if companies honor it.
Consent often involves more than just cookies. Consenting essentially allows them to use other tracking technologies beyond cookies such as IP addresses or browser fingerprinting.
This is also why the GDPR requires consent forms instead of relying on browser cookie settings, as it covers the intent of tracking itself as opposed to any technical means by which it is achieved (and this is why functional cookies such as for logging in or shopping carts don’t actually need consent at all).
I hate the implication that those banners are some sort of consent. They're so commonplace now that people blindly click 'okay' or close them just to be able to read the site. If the wording was something else ("you agree that we can take your first born child") would it even hold up?
The worst is when the banner says: "This site uses cookies. Agree / Disagree" -- it's not even asking for consent.
and often it works like - please leave the site nothing here for you button. Amazing how irl businesses use such types of third party booking systems with ads and other crap showed down your throat, that's for anything from hairdressers to carpenters, one would think at least they don't require you to login via fb, ah waaaait, some of them do. The web dystopia is here now, enjoy it.
The worst is when the banner says: "This site uses cookies. Agree / Disagree" -- it's not even asking for consent.
Some sites don't even give you a "Disagree." Liberty of London has no way to opt-out: "By closing this box or by clicking accept and close, you agree to our use of cookies."
I have never once in my life clicked on any of these banners. In no way have I given them my consent. I simply ignore them. If they track me, they're breaking the law.
the law requries either consent or legitimate interest ( there are even more options - but not relevant here ). So they can track you without consent and not breaking the law.
There are somewhat strict rules of what is legitimate interest. And sending data to a US company (Google Analytics) even requires some extra steps beyond normal consent, now that the privacy shield has been scrapped.
"Legitimate interest" (Article 6.1.f) is one of the weaker clauses for lawfulness of processing as it comes with the following caveats:
1. Having some legitimate interest is not necessarily sufficient - the privacy interests of the data subject can override the legitimate interests of the controller (Article 6.1.f itself), so the controller has to explicitly take the privacy interests of the data subject into account, and the reasonable expectations of data subjects matter. So this can be tricky, as it's up to the organization to demonstrate that their legitimate need outweighs the data subject interests.
2. the right to object of Article 21 applies for this clause, with explicit clarification in 21.2 that yes, people do have the right to object to direct marketing profiling;
3. the controller is required to explicitly inform the users "At the latest at the time of the first communication with the data subject" that they have the right to object to this processing (Article 21.4, and Recital 70);
4. As article 21.5 states "the data subject may exercise his or her right to object by automated means using technical specifications", so this opens the way for specifications such as the upcoming Global Privacy Control header (https://globalprivacycontrol.github.io/gpc-spec/) which would be a legally binding "I object" mechanism.
Because of this, whenever an organization can assert some other basis for lawfulness of processing (e.g. consent or performance of contract) then that would be a safer option than trying to assert a legitimate need.
Very true! yet lots of companies still (try to) hide behind it. My recent experience was with Sonos. They heavily track you without opt-in/explicit consent and hide behind legitimate interest.
when it comes to cookies the ePrivacy directive 5.3 is more strict and requires explicit consent for non-essential cookies and similar technology (incl. fingerprinting). Look up the recent case against Apple IDFA. Legitimate interest does not come into play here actually.
on mobile so can’t easily post links unfortunately. EDIT: here’s a couple of links
I find these pop ups weird. Shouldn't we get an option to say, "Disable tracking"? These pop ups don't really have any utility because a banner won't stop them from reading the article.
"We're not going to lie to you. Your privacy isn't our priority. It's not even close. Not because we want to track your every move. But because we simply don't care. We'd rather spend what limited time we have actually improving the web site. We're into taking pictures and adding content, not obsessing over what your dog had for lunch so we can sell it to MegaEnormousBigCo. We're not tracking you. We're not tabulating you. We're not folding, spindling, or mutilating you. Seriously, your personal life is not important to us. However, you may or may not be of interest to the people who advertise on this web site."
The last sentence is the key part. I could respond in kind: No one cares if you care or not. We only care about the people who are willing to buy that stuff from you.
Here's the other perspective: Data brokers don't really want your data if you don't want them to have it. It's a legal liability for them, and most of them are struggling to work at the scale their customers demand already. But publishers want high advertising rates and that means advertisers want to make good bids and that means both actually want a data broker involved to deal with the technical (collection, filtering, aggregation, ETL) and legal (GDPR) bullshit.
But then publishers and advertisers don't do their due diligence or decent engineering and just shovel illegal shit to data brokers on the backend. The ones that shut up and launder it do well; the ones that actually try to do a good (technical, legal) job drown in account management and data processing overhead.
So fuck that site. They are the ones that care about your data, they're just making a show of keeping their hands clean while they pay someone else for the dirty work and hiding behind their (half willful half stupid) ignorance of how their own industry works.
The same without tracking users with personally identifiable information. You know how many people clicked on which button, but you don't know that the user 05475524789 who clicked on the button lives in South Europe, has HIV, and is interested in video games and vacuum cleaners.
Nice. I wonder if one could build an analysis program to determine if you actually need the banner or not, with some reasonable accuracy. I would love to see those cut down.
It's definitely not mandated by GDPR. Look how annoying Facebook, Google and countless news sites' cookie banners are. I don't know GDPR, but I'm sure their lawyers do.
I’m sure that GitHub certainly has analytics; they just don’t use third-party analytics. This means that either they’ve built their own tool or are self hosting someone else’s. I imagine that GitHub has some amount of internal tooling here out of necessity, e.g for metrics about how people use GitHub over SSH.
However they cannot use data that allows to identify an user (such as an IP address) in their analytics, unless the user has granted them explicit consent to use that data for the purpose of analytics.
So my understanding is that there is a big difference between this and "they just don't use third-party analytics".
It would be super nice if they clarified this in the blog post. Maybe by adding something like "We do not use personal data in our analytics".
By looking at http access logs, like since the beginning of times? Note if by modern sites you mean SPAs, you could still make HTTP pings for those features; might not make much sense to use SPAs for content-driven sites though.
Good question! We just shipped GitHub Discussions to millions of developers and we can learn whether people use and like the product by looking at whether people are creating discussions, customizing categories, and answering questions.
The argument that you need to follow users around every step of the way to build great products is simply untrue.
I find it annoying that 3rd party analytics gets lumped in with ad tracking. Analytics is incredibly useful for improving products, it lets you see where users are having a hard time and it lets you do experiments and measure the results. It's beneficial to both the user and the company, it's a win-win.
633 comments
[ 3.2 ms ] story [ 314 ms ] threadJust don't include facebook like buttons or any of these widgets
(I had to do it here too.)
But note there are other reasons you can have for collecting data other than consent (something often overlooked) - for example I would guess GitHub would log IP addresses in the back end for a limited time for spam fighting reasons, and I think that would be fine.
I agree with you by the way, but ...
On my personal web sites I'm using GoAccess, which is basically a new spin on a very old idea -- just analyzing the server's web logs.
https://goaccess.io
That's not as accurate as throwing around cookies and JavaScript, but I rarely check the log pages anyway, and when I do I'm less interested in raw numbers than I am in the relative performance of various pages. (And that's mostly just idle curiosity, e.g., are there some old articles that keep getting steady traffic from somewhere?)
I see this... "We do not generate any persistent identifiers either. We generate a random string of letters and numbers that is used to calculate unique visitors on a website and we reset this string once per day."
But where is that ID stored?
The salt must be treated like a password to make sure it's not that easy to brute force it and no one should get access to your database of course ;) It's not the strongest anonymization, but good enough considering that the hits will be deleted once a day by batch processing.
> So if you don’t use cookies how do you count the number of website visitors and report on metrics such as the number of unique users?
> Instead of tagging users with cookies, we count the number of unique IP addresses that accessed your website. Counting IP addresses is an old-school method that was used before the modern age of JavaScript snippets and tracking cookies.
> Since IP addresses are considered personal data under GDPR, we anonymize them using a one-way cryptographic hash function. This generates a random string of letters and numbers that is used to calculate unique visitor numbers for the day. Old salts are deleted to avoid the possibility of linking visitor information from one day to the next. We never store IP addresses in our database or logs.
...
> In our testing, using IP addresses to count visitors is remarkably accurate when compared to using a cookie. Total unique visitor counts were within 10% error range with IP-based counting usually showing lower numbers.
From here: https://plausible.io/blog/google-analytics-cookies#can-you-g...
Mine gives one public ipv4 per device that access the internet on the network (with some exceptions). Strategies varies but if you have a lot of addresses why not use them.
I have a basic Github Pages site, and I currently don't know whether anyone is looking at it, beyond the very few who take the time to email me. I don't need (or want) to know anything about my visitors, but it would be nice to know that I'm not simply tossing stuff into the ether.
and it wasn't even running on wordpress
https://www.goatcounter.com/
you'll need a cookie banner then
These third parties will take what you give them and _also_ take what they can get from your browser if you're embedding their script. Are you going to proxy those scripts as well to stop them getting the user's IP address and then geolocating it to grab even more info?
The cookie warning banner is bullshit only in the sense that it achieves nothing. Accept it or deny it, it won't change a thing. Same with the tracking consent popups: despite the law saying they should be opt-in by default, they're still treated as opt-out by default, meaning that all of these sites _still_ collect your data because you're blacklisting individual sites from tracking, as opposed to whitelisting them. You need to set a cookie to say that you don't want tracking and not thousands of cookies to say you do want it?
That's being tracked... it's all wrong. Literally everything you offer as information, or don't offer, is another node in their graph.
WTF is that...
Completely at odds with the whole "informed consent" thing.
That seems to be the advice of the UK ICO: https://ico.org.uk/for-organisations/guide-to-pecr/cookies-a...
Analytics cookies are not strictly necessary.
Alternatively your pagecount will shoot to the millions if you have someone holding f5.
> I currently don't know whether anyone is looking at it
You don't need tracking cookies to track simple metrics like pageview numbers.
So yes, use of tracking cookies, first or third party, would require a Cookie Consent Banner.
Seems like a cool company/project to me.
But, it's not free :( $19/mo Still thought it's worth pointing out.
It is self-hosted but on firebase and taking advantage of the free tier. Of course there is no personal data collected at any point.
There are still improvement to do, but as it works perfectly for me I have not be able to gather enough motivation to do that.
Panelbear is privacy-friendly, and has a free plan with 5,000 page views per month. Commercial use is allowed.
https://panelbear.com
Full-disclosure: I’m running this service. Feel free to ask me anything :)
Thank you for providing this service.
I've only skimmed over the docs, but it looks like they derive a unique identifier from the IP address and user agent which changes every day. IP addresses still count as Personally Identifiable Information under GDPR, so deriving an identifier from this for a use case such as analytics would likely require consent. This is speculation though so I'd be interested to hear what others think.
If it is critical to the operation of the website (functionality like storing saved items in a shopping cart, or security), then you wouldn't need consent.
In reality though, Plausible looks great and using it is a huge improvement over Google Analytics for privacy.
I'm not an expert in this even though I'm a webdev from the EU, so I'm also interested in other people's input.
I don’t believe that one should automatically conclude that just because a cookie requires active consent, any kind of ‘logging’ (local and temporary storage of IPs in order to track website usage) requires active consent. Those are two fundamentally different things.
I’m not saying you should hide the fact that you’re doing it. I’m saying it should be stated in the privacy policy.
Also remember that there is a big difference between ‘personally identifiable information’ and ‘sensitive information’ which are clearly separated concepts in GDPR. Not all collection of data requires active consent.
I did read my EU state’s guideline on GDPR in full, but I’m not an expert. I would suggest reading up on the ePrivacy Directive though, which is still in effect.
However regardless of whether you're using cookies, I still think you need to collect explicit consent as GDPR requires a lawful basis of processing, and I don't see how analytics would fall under any of the other lawful basis's other than consent (_maybe_ legitimate interests?)
If you are using cookies, then my understanding is you need to collect consent where necessary under _both_ ePrivacy and GDPR.
Only if there is a bijection between the identifier and the IP address, so that you could re-derive the IP address from the identifier. Otherwise, I do not see how the identifier itself would count as PII.
This way of divorcing data from PII by replacing it with pseudonymous identifiers which cannot be linked back is a relatively standard technique for this.
The GDPR does not count anything as "Personally Identifiable Information", which isn't surprising as that's a US legal term.
What you mean is "Personal Data", and yes IP addresses are considered personal data under the GDPR.
>so deriving an identifier from this for a use case such as analytics would likely require consent.
Consent isn't the only legal basis for processing personal data, though, there are 5 others available.
Not that I am pro-privacy invasion, I'm not, but I'm definitely anti-annoying-popups.
Do you have an authoritative source which i can show our team regarding this?
Edit: https://gdpr-info.eu/art-3-gdpr/ ("where Member State law applies" and "subjects who are in the Union" [...] "regardless of whether the processing takes place in the Union or not" respectively)
Edit 2: https://gdpr.eu/companies-outside-of-europe/ for more info: "The whole point of the GDPR is to protect data belonging to EU citizens and residents. The law, therefore, applies to organizations that handle such data whether they are EU-based organizations or not, known as “extra-territorial effect.”"
Through non compliance can only be enforced if the entity behind the website/app or similar does enter the EU or does business with the EU.
The practical question is just if they can get hold of the people acting unlawfully.
Which means that you can't say a user is not residing in the EU (without a popup asking the user if they are residing there... ;=) ).
On the other hand if there would be such a law it would have kinda interesting consequences.
https://www.independent.co.uk/life-style/gadgets-and-tech/fa...
Once the UK leaves the EU, they're no longer obliged to keep their implementation of the GDPR. The government can choose to keep their implementation, and in practice keep the same regulations as the GDPR, or they could reduce or remove their privacy protection laws as they see fit.
With London being famous for their camera surveillance, I expect the UK to reduce some if not all of the privacy protections the GDPR brought to the world.
It became UK law as soon as it was passed by the EU, and it didn't need to be implemented in to UK law.
The UK has already passed their amendments to the GDPR,[0] which will effectively fork it into the "UK GDPR". These will come in to force on the 1st of January.
There's a "Keeling Schedule" available[1], which is effectively a diff between the EU GDPR and the UK GDPR.
[0] https://www.legislation.gov.uk/uksi/2019/419/introduction/ma...
[1] https://assets.publishing.service.gov.uk/government/uploads/...
It's related to the ePrivacy Directive, which is deeply intertwined with GDPR but a separate piece of legislation. It's not clear whether the GDPR's territorial applicability also holds for ePD. France in particular is drawing a divide between GDPR and ePD, because ePD lets them fine Google directly but GDPR require they mediate through the Irish DPA.
It's also not entirely correct that the GDPR would require going through the Irish DPA or wherever a company in violation has their primary EU presence for tax purposes. True, the GDPR says the nation where a company has the primary presence of business within the EU take lead within the EU should take lead, but the French courts figured out that Google's Irish subsidy is actually not making any decisions, the US parent is, and therefore it's fine for the French watchdog to issue fines skipping Ireland [1].
[1] https://techcrunch.com/2020/06/19/french-court-slaps-down-go...
GDPR does not supercede the ePD. The ePD is, according to its own text, a law that extends the general privacy regulations to certain aspects of internet technology. So in many cases it defers out to the general privacy law in effect.
When ePD was passed, that law was the DPD, Data Privacy Directive. When GDPR was passed, all ePD references to the DPD became references to GDPR instead (this is Article 94 of GDPR). But ePD remains entirely in effect, just with updated references.
Most importantly, ePD requires Consent in certain cases, but defers to DPD/GDPR for what is the definition of consent. GDPR's definition of consent is much more stringent.
In cases where the ePD did not refer out to DPD, it remains unchanged by the passage of GDPR. So, according to CNIL, it does not include the one-stop-shop mechanism. See section "The competence of the CNIL" in the link below:
https://www.cnil.fr/en/cookies-financial-penalties-60-millio...
The EU law:
- doesn't require opt-in permission for essential cookies and similar. So basic non-personalized website usage statistics (analytics) do not need a opt-in only if it's tracking people in any way are such opt-ins needed
- if you login you are known to have accepted the terms of service and as such after login no opt-in pop-up is needed either
- is not limited to cookies btw.
All in all this means that for any site not based on ad-revenue they fully can get away without needing any annoying popups, if they don't do some sneaky questionable things.
Even for ad's there are ways to do them without annoying popups, you just need to not track people, tracking the number of times a website was loaded doesn't require annoying popups, just tracking who opened it does.
Similar if you track people only after they clicked on the ad you don't need annoying popups on the site the add is one but only on the site the app navigates to (through only start tracking after opt-in). Which given that many adds try to sell you stuff and buying thinks only requires a account isn't that big of a problem as it might seem.
In the end you can say the only reason there are so many annoying popups is because most companies have not intention to respect the privacy of their users. Actually if you look into it and realize that many popups are not legally conform or borderline illegal it becomes clear that they do not only not respect the users privacy but the users themself.
Through I have to note, that while many (most?) companies can switch to respectable advertisement, some companies can't as easily do so.
Apologies if I've misunderstood your claim here but it seems to me that you are saying you can bury consent to processing inside your legalise.
That doesn't comply with the GDPR as I understand it; the consent must be informed and freely given. Informed in that case is debatable since you are lumping a lot of terms together. You certainly can't claim it's freely given if accepting the terms of service is not optional.
But I still believe you can do it once on account creation and then never again if people are logged in and nothing changed.
It's the popups that actually annoy me, especially because they keep on popping up -- ironically they need to store a cookie to remember that the user has accepted/denied, and my cookie-blocking blocks that cookie as well.
I think browsers blocking cookies by default and asking for permission before storing cookies is a better solution to this issue than a GDPR popups all over the web, and leaves far less room for malicious websites to track you in spite of the user denying.
It's a common misconception that it's about cookies. It's about data processing, i.e. tracking. There is a different law then GDPR which is about storing data on user PC's but that is also not about cookies but about any browser storage and more or less got superseded(1) by GDPR.
(1): Ok, that is quite a oversimplification, but most popups are now about GDPR and having them also covers the other law.
The problem is the "only" part(s) ;=)
Oh, and you must reasonable convey that DDoS protection is essential for your service etc. Which if you ever had any (non super small) DDoS attack should be reasonable easy.
But I'm no lawyer and a bit of time passed since I last looked into it, so if I now would need to do a cooperate decision I would look it up again.
By law it's default opt out for non-essential usages specifically to deal with people who are annoyed, but not everyone plays by the rules.
They want you to have a bad experience if you decide to opt-out of detailed behavioural tracking, so that you'll feel pressured to "consent" to detailed behavioural tracking, and so you'll feel like the GDPR is to blame, even though it isn't.
I've put "consent" in quotes because it's not freely given consent if you are heavily pressured into it, and it's not consent at all if you end up believing you don't really have a choice.
These banners/dialogs do not even comply with the GDPR (despite saying the GDPR requires them), as GDPR says consent to non-essential personal data collection about you must be as easy to withdraw as it is to give, and the service you get must be the same if you don't consent as if you do.
I wrote a bit more about this here: https://news.ycombinator.com/item?id=25441131
More importantly IMO they are also contacting entities up front to tell them about violations and how to get compliant, the fines we have seen yet seems (again IMO) to be only for particularly nasty cases and/or cases where the entities in question refuses to change.
This means the fines we are seeing is just the top of the iceberg: most changes happens underneath the surface and only trickles up in the form of less annoying websites (or fines) little by little.
You have to love how the regulator did not even try to define what they mean by "annoying". Thus making the whole law completely useless.
In my book, any single pixel of my limited screen real estate that gets dedicated to this useless regulation is annoying. If the EU wants to enforce this, they need to provide a way for me to basically say "Yes, I agree with all tracking cookies for all sites forever", and never see a banner again.
>>So, we have removed all non-essential cookies from GitHub, and visiting our website does not send any information to third-party analytics services.
But you’re still only allowed to use the cookies for the purpose the user gave you them for, right?
So, if:
a) the cookies are essential for the user session, and
b) you collect the cookies, without explicit permission, to maintain that session
then you still can’t use those cookies for other purposes, like analytics, right?
Edit: sorry for all the “rights?”, just want to make clear I don’t convey high confidence in this claim.
The reason I find that believable is that their core business is selling a git server with bells and whistles. From Microsoft's perspective, Github doesn't need to be doing any marketing because they kind of are the marketing.
I would be really, really surprised if Github were the only Bay Area unicorn that lacked a product manager nagging them for more analytics. The fact that they don't need to sell the analytics is irrelevant.
I do believe Github is legitimately trying not to use that data for analytics. But whether some PM in there is querying that data for analytics purposes: at that point we're just speculating based on how cynical you or I want to be. I don't think that's a meaningful point.
Also: I'm not saying I don't think they do analytics. I'm saying I don't think they are using users' personal data for analytics. That's an important difference with respect to GDPR.
1. GDPR requires the consent check to be somewhere obvious and in plain language. That was specifically to deal with EULA's given to you in tiny legally compliant text boxes.
2. GDPR requires that you cannot make consent for non-essential usages of data mandatory as a condition for providing your services. Tracking only logged-in people for analytics falls into the category of non-essential purposes. That requires explicit consent, even if consent is not required to use the exact same data for authentication checks.
1. Consent must be separate from other terms being agreed to. So consent in the EULA would not be valid.
2. Consent must be an affirmative, unambiguous action. Pre-ticked boxes or bundled consent are not valid.
3. Consent can be revoked at any time. Revoking consent must be as easy as giving it.
So yes, you can ask for it from a user when you're having them agree to the EULA. However you can't have it as part of the EULA, it has to be an optional add-on. And you still need to let people turn it off afterwards.
Not even then - there are plenty of analytics you can do without a cookie banner, as long as they don't identify the user.
Conversely, anything you do other than your obvious business requirements (e.g. if you buy something physical I need some address or identity to verify at pickup) requires consent whether or not it's analytics.
(Not a lawyer, not legal advice, jesus just don't track people...)
The difference is if you can deny access for those opting out or not.
Yes. It’s not the cookies, it’s what you make the use of them.
The wording even predates GDPR. You could even dispense of the banner if you had DNT set to 1 or 0, since that would count as consent/not consent resp.
Because I can’t imagine that they don’t.
You can anonymize data if you really want to and use it for understanding trends, usage etc in a privacy respectful way. Few companies bother these days though. And yes if you want a 100% watertight way, it’s hard.
Another question is how exactly can Github be trusted to not send this tracking to Microsoft? It's not like this is something that we can check... I don't think that the EU is going to send inspectors to Microsoft?
Then I realized I should probably clear all the cookies for Github, and start over with a fresh session. So I deleted all cookies that Github had given me (which was 12) and refreshed the page. As expected, I was now logged out and Github immediately issued you me 4 new cookies.
All of these are valid cookies (assuming that _octo is for cache busting) that would not require a cookie banner.So then I logged in. I now have 10 cookies. None of them appear to be tracking cookies.
So those are all the cookies that Github now gives you. 2 of these seem to have duplicates. Meaning the same could be done with 8 cookies instead of 10. But regardless, all cookies seem to check out. None of these are tracking your usage and are there to improve your logged in experience. Tracking things like your username and recent activity boolean are most likely being used to save making the same database queries for every request. The others are just tracking sessions, which is something that users definitely do want. The 14 day expiration is a good middle ground between convenience and security.At the beginning I mentioned that I had two tracking cookies before I cleared my cookies. These are gone after the refresh. So it looks like github has in fact stopped issuing tracking cookies altogether. They also seem to have removed Google Analytics entirely as I don't see the script on their website at all.
So all-in-all this definitely checks out. I don't see any GDPR violations here or reason to display a cookie banner anymore.
I assume they still have analytics, but the analytics are all happening server-side which provides them basics like pageviews and visitors. And since you have to be logged in to do almost anything in github they don't need cookies to track what you do while logged in, thats all going through their servers and databases anyway.
I know plenty of people here have problems with Github, but I think it is exciting to see a large company like Github (Microsoft) take this step.
Considering Microsoft's size, wouldn't this still be a concern, and might even still violate GDPR if they were to use identifiers like IP or Microsoft accounts between their various services ?
For an even more extreme version: see Google or Amazon (AWS).
I dropped all third-party crap from my site way back and haven't ever needed a cookie banner.
The question is not "how long". The question is what data, and what happens to it.
It doesn't matter how long it's active either, unless you use it to track users activity elsewhere
However, as you say, it might be allowed by GDPR without requesting extra approval, depending on the way that it's being used and who it is shared with?
Hence my question about whether the length of time that you store this data legally matters (because since databases can be stolen, it eventually does). Compare with how ISPs must store all your connection logs for a specific amount of time.
Length of time you store the data doesn't matter, except in the sense where you can prove that effectively you do not store it at all - for example by anonymization of logs so that you do not effectively store IP addresses, even if of course they have to exist in full in the system at some point to keep the connection open.
You're serving articles, there's no reason for session tracking!
https://ec.europa.eu/justice/article-29/documentation/opinio...
(The §29 WP is now replaced by the European Data Protection Board, but that seems not to have issued any more current Guidelines or Opinions on that matter. Maybe they are waiting for a forthcoming ePrivacy Regulation. Also: IANAL.)
A lot of people also have the misconception that the EU cookie law applies to them, even if they are not in the EU and have no EU physical presence.
If so, why did everyone scramble to meet the requirements. Was it a scam?
If you're small enough, then the EU won't bother doing anything.
If you don't even depend on any 3rd party that is vulnerable to EU will then you can fully ignore everything. That can be tricky to achieve though. No common money transfer methods and you must be self-hosting.
Also, all of this isn't new. The US has been enforcing its will globally in a similar fashion for a long time.
Technically, the law applies to everyone worldwide, regardless of location. However, if you have no business in the EU and don't plan to expand your current business operations to the EU, you don't need to worry.
Hell, if you don't meet the requirements, the relevant enforcement departments generally give you plenty time to implement the necessary requirements or block access if you're a dick. The exception, of course, is data brokers and huge companies like Facebook or Google where the impact is much larger.
The GDPR doesn't expose you to lawsuits from anyone but the privacy monitoring instances of EU member states. The average American blog or news site isn't nearly large enough for any government instance to start a lawsuit.
You can also ask yourself: so what if they fine my company a €10.000. They're not going to send a team of special forces over the Atlantic or through Russia just to extract the cash from you. You only need to pay the fine if your company ever needs to do business in the EU. If your company structure makes your personally liable, this also impacts your future holiday destination decisions, but you can live perfectly fine without seeing the Eiffel tower.
A lot of very similar laws are also being passed in California right now, which will probably be a lot more dangerous than any GDPR restriction, but if you follow the GDPR you're pretty much set to protect yourself from Californian lawsuits as well.
Most of the GDPR is just "don't be a dick with people's data". If the fear of not meeting requirements stops the free-for-all data exchange market, then I'm perfectly fine with that.
That doesn't mean that you're necessarily at risk of any lawsuits or effective action, but what you're stating is wrong. Physical presence has nothing to do with it.
With exception of large, international organizations, that doesn't apply to nearly all business outside the EU.
https://ec.europa.eu/info/law/law-topic/data-protection/refo...
>When the regulation does not apply
>Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.
"In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union."
EU laws simply do not apply to the world, even if the EU thinks they should.
Perhaps not, but the EU is the world's second-largest economy (only $2tn behind the US and $4tn ahead of China) accounting for about 1/5th of the global economy.
If one wants to operate a company that does international business, one will probably want to do business in the EU, which means following EU law in such matters.
The alternative to asking permission to do intrusive things is to avoid doing intrusive things.
Just no.
Both the e-privacy directive and the GDPR are very broad in their articulation and never mention specific technique's, technologies or anything like that. A good example is gdpr article 32.
Fun fact: the e privacy directive (which defines the cookie rules) isn't actually passed yet and technically you don't need cookie banners how they are now. Purely informational banners would be enough, but the directive already _should_ have passed but was delayed, and since gdpr spooked everyone, everything and everyone is using cookie banners now anyway
The ePrivacy Directive passed in 2002. It was amended in 2009 to include the cookie rule. The ePrivacy Regulation which would codify cookie requirements as an EU-wide regulation has not passed yet.
Just like people thought that the data protection was a new concept when the GDPR was created, ignoring the fact that the Data Protection Directive had been around for decades.
Presumably the most they're using this for is recommending potentially interesting repos to you.
[1] Potential concern would be if "Microsoft" was considered "their own", since Bing does have an ad network. But my guess is between still having separate accounts and being treated as separate companies, that is not the case here... yet.
My guess is that, at least, for now, it refers to GitHub, as you agree to GitHub's Terms of Service, which doesn't actually mention Microsoft as a party.
And while Google keeps it's data horde on you to itself, it definitely sells access to you in numerous harmful ways.
A session cookie that is also used for tracking would qualify as both a functional and a tracking cookie, and thus generally be illegal (since you can't consent to the tracking if it's under the threat of being unable to use the service).
"(And of course GitHub still does not use any cookies to display ads, or track you across other sites.)"
That exactly leaves out "track you on our own site". But honestly, I have absolutely zero issue with them tracking my behavior on their own site. I know how valuable it is to be able to learn/see what users are doing, and they should absolutely be able to do that.
You can also add cookie warning filters to uBlock Origin, but those doesn't autoclick when CSS filters aren't sufficient.
https://addons.mozilla.org/addon/i-dont-care-about-cookies/
I wonder if they built the analytics system themselves or are using a COTS.
I wonder what they’re using to track user activity instead, probably just a mix of server logs and the other goings on of the backend.
Cookie dialogs are indeed horrible and out of control. Good on them for making the jump. But I doubt many others can justify the cost associated with the change. We need a better solution that gives users choice but reduce the friction caused by annoying prompts.
One question I do have, however, is whether or not the new homepage[0] which shows where people are when they open a PR actually reveals their present location. In the few samples I checked it did not seem that the presence of the person indicated matched their bio's location settings. If it is truly unmasking people's location I think it should be opt-in only, since it is private information. An employer or state may have issues with someone opening a PR from a specific country at a specific time, for example.
[0] It may be required to open this in an incognito browser.
The users might not know it's being used for marketing on the home page, but it seems to be (again, just spot-tested) information that they provided for their /public/ profile.
Edit: NEVERMIND! Just checked a fourth and code from someone with "United States" in their profile showed as coming from Minneapolis.
If anyone wants to do any further analytics on it, it's easy enough to pull PRs and lat/lon from that.
It does look like lat/lon might be a fixed value for each city (from spot checking a couple). If it's not, that would be surprising and a pretty egregious leak of user info.
GitHub gives the example of "those used by third-party analytics, tracking, and advertising services", but curious if the law defines some sort of bright line here.
Luckily where I work we are pretty serious about this stuff. Since one of our main revenue's is Data protection consulting, anything else would be idiotic anyway
If you block ad networks and analytics the site functions just fine -- they're not essential.
Beyond that there's probably some sort of "need to know" test to prevent convoluted fake dependencies.
I love those systems. Especially when the unwary users share links, accidentally letting other users into the site as them. Or when google indexes it, and in addition to terrible security, the site uses regular GET links to perform site actions, so google deletes the user's content or buys a bunch of stuff as them while walking the links it finds as it indexes in beyond the user's initial account bearing link.
lol. no.
It also poses a security / opsec issue if anyone non-technical wants to send a link to a friend / co-worker. You may compromise yourself.
If people share their screen people would be able to hijack the session too.
You won't be able to distinguish device sessions from one another reliably neither. Think of "log out all other devices".
These are what I can think of. There's probably a handful more reasona NOT to do that.
You could, I think. Passing the session ID in the URL is the same as storing it as a cookie. You can invalidate both in the server.
Link sharing is an issue, for sure. You could tie the session id to the IP, but that doesn't work when people share their IP, which is more and more common every day. IP tied session would work better with IPv6, though.
The problem is it’s makes urls horribly unwieldy if a user wants to bookmark or paste in links from emails etc etc, or writing JS to interact with links, not to mention the security issues of being able to accidentally share your session.
Possibly, yes, but not at all user friendly.
Note GDPR never mentions cookies, or cookie banners. It regulates the control and processing of personal information (which can be stored in cookies).
https://gdpr.algolia.com/gdpr-article-6
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
This is not legal language or legal advice, but the gist of it is "if you don't have it, can your website still do what it claims to do?"
For a site like Github, if you can't use cookies to maintain session state, you'd have trouble implementing login sessions, so that's pretty squarely on the essential side of the fence.
But moving into murkier territory, how about logging the IP addresses you signed in from? If you're using it to detect new login locations or new devices as a security alerting thing, then I think you can make a strong enough claim that this is essential. (Again, not a lawyer, this is not legal advice.)
What if a PM wants to look in these logs for how many unique users show up in each country? That's pretty squarely on the side of analytics, and is probably not essential.
But... muddying the waters more, what about if an engineer wants to query unique users to figure out how many more racks of servers to buy? I have no idea. I'd be asking a lawyer.
- Any form of tracking people is generally non-essential.
What you can and can't do is not based on technical implementation details but practical usage of the information!!
The tricky part if when both overlap, i.e. if you track people but only for assuring a secure operation, i.e. you don't use the tracking information for anything besides their main purpose of assuring secure operation.
A lot (all?) of systems which provide such security specific tracking do not strictly limit their usage, access and collection of information and as such are also used for non-essential purposes and in turn need opt-in.
But then sometimes companies try to abuse it and will do do until taken to court.
For example Facebook argued that people use Facebook with the (main) intend to get customized ads and as such tracking them is essential for Facebooks service. As you can guess this argument is completely ridiculous especially given that they also track users which don't use Facebook, but if you are the size of Facebook you can try to bring that to court and maybe gain a bit more time before you need to comply.
https://ec.europa.eu/justice/article-29/documentation/opinio...
(The §29 WG is now replaced by the European Data Protection Board, but that seems not to have issued any more current Guidelines or Opinions on that matter. Also: IANAL.)
- github.com
- githubusercontent.com, DNS pointing at github.map.fastly.net
- githubapp.com
- githubassets.com
All these are GitHub-owned, so from a privacy / customer relationship standpoint it looks fine (except github.map.fastly.net , which is probably for CDN purposes), isn't it? I mean: there is zero googleanalytics / zendesk / tracking saas nonsense here. Or are you making this point from a performance standpoint?
By the way, I haven't used SourceHut yet, but thanks a lot for your opensource work.
Ironically, these sites need to use additional cookies to remember that you clicked away the banner, and part of the problem is I also blanket block all cookies on sites that I don't need to log into, so they don't get to "remember" anything.
"The site uses cookies. Actually it doesn't - you are not logged on and we don't need to maintain state. But our advertising partners, their partners, and their partner's partners all love to set tracking cookies. Click here to consent to three dozen cookies from around the globe."
—Another fake quote
Google being the biggest ad company does not give them the right to surveil all that walks the earth.
If that would be the case, maybe more sites would follow GitHub here.
And then Facebook takes out full-page ads attacking your company for allegedly hurting "small business."
Why not just let browsers controls who sets what cookies?
I'm tired the endless cookie popups, can we come up with an "allow cookies if the browser accepts them" standard as long as that guarantees no cookie popups?
Then browser vendors can ship a delete all non same origin cookies on tab close or something.
isn't that the 'allow 3rd party cookies' setting ?
At least that's the idea. In practice, almost everyone just throws up a banner that says "fuck you, we're selling your data as hard and as fast as we can," with no opt-out available, but they pretend that this is compliant with the law.
It failed horribly because it was voluntary. But now that it's a GDPR requirement, perhaps that might have a snowball's chance in hell of succeeding.
What should be happening is every company that's done that should be getting massive fines, but instead all the enforcement agencies are doing nothing.
[0] https://www.cnil.fr/fr/tag/sanctions
[0] https://ico.org.uk/action-weve-taken/enforcement/?facet_type...
https://www.openrightsgroup.org/blog/parliament-must-hold-th...
They also had a massive budget shortfall which meant they sent out what amounted to a protection racket letters demanding £40 per year from every UK business, even though almost none of those businesses should be paying it.
All this while simultaneously investigating the ad industry, finding it is egregiously breaking the law, but then doing nothing about it.
The UK's ICO is taking an extremely broad definition of who should be paying it, but an extremely narrow definition of who it should enforce against.
I might add that the £40 it is demanding is almost 3 times the normal £15 yearly fee for running a business in the UK.
Everything outside that field cannot, I guess, be considered as legitimate interest.
They have small print after each of their emails that says that GDPR allows them to email me because they believe I might be legitimately interested in purchasing their services.
Sharing is caring.
Does this mean that sites that offer free but ad-supported content still have to offer that content? So I can watch those free Youtube movies and listen to those Spotify tracks ad-free because EU Law says fuck you.
How is this fair?
Edit: Okay, okay, non-targeted (and no 3rd party) ads are okay, got it xD
The fact that spotify doesn't want to because it's less profitable is where EU law says fuck you.
Also Spotify can easily require a free login and associate everything with that, no tracking cookies required. They just can’t associate your playlist with your web browsing habits.
Tracking is not necessary to show ads. Certainly there are business models which depend on this, but hey who says our society benefits from those? Targeted advertisement and free informed democracies don't mix well IMO.
As in, this is the first GDPR banner I've seen that is actually legal under the GDPR.
https://www.freedomforuminstitute.org/
1-click to opt-in.
multi-click and losing your current page to opt-out.
There's so much more pressing than just cookies imo.
The very long and well-sourced wikipedia article doesn't even contain the word "cookie": https://en.wikipedia.org/wiki/General_Data_Protection_Regula...
This if from article 7 of the GDPR [0]. Clearly the situation described involves a much harder time withdrawing consent than giving it - which goes against the law.
I may have misunderstood what you meant but how is this being laser focused on cookies? This articles applies beyond the Internet anyway.
[0] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...
One of the most precious things we have is time and the constant cookie interruptions are a nuisance that should be kept from sight.
I would like to store a cookie or a client-side cert to remain logged in, but not the other cr. Granted, they could use that cookie to track me, but this is what GDPR is about.
IIRC, Internet explorer used to ask you for each cookie, circa 2000. These pop-ups became more and more common with time. The web would be unusable with those nowadays.
That doesn't prevent Facebook or Twitter or advertisers in general from tracking you across dozens of pages or more, it just means that they'll have to issue you a new cookie each session.
1. A law that aims to prevent stealing should be deterring thieves, not just regulating padlocks.
2. Technical measures are insufficient because cookies are regulated by purpose. A third-party cookie for fraud detection is allowed; a first-party cookie for analytics requires consent. It also prevents using necessary cookies for secondary purposes, something that literally cannot be accomplished through technical means alone.
As a minor point, the so-called "cookie law" also regulates browser fingerprinting. I have a hard time imagining that you could legislatively mandate effective anti-fingerprinting approaches.
Browsers wouldn’t fall for dark patterns.
Because it doesn't have anything to do with cookies. You don't need a banner if you use CSRF cookies, you don't need a banner if you use them for stuff like CloudFlare's anti-DDoS script, and you certainly don't need a banner if your site requires cookies for basic functionality like logging in.
The browser can't possibly tell what the server is doing with its cookies. It might even be using a single cookie as CSRF protection and ad tracking at the same time.
This is actually the case, what do you mean? All browsers that I know of (firefox, chrome, elinks) allow the user to control what to do with cookies.
what I wanted to say is that cookies are not illegal by gdpr means and gdpr does not make a lot of stuff illegal, it's just that SAVING personal information or information that could identify somebody needs explicit permission.
edit: another thing ip addresses, by german law you are required to save it, when a user can register on your site and your site allows users to submit data. because authorities force you to give them out when a user did something illegal. (§ 7 Abs.1 Satz1 Nr.4 TKÜV, https://www.gesetze-im-internet.de/tk_v_2005/__7.html) In germany it's basically: fuck the privacy if they harmed our law! or at least you need a way to "activate" saving ip addresses.
of course that is forbidden. and that's exactly why it is really hard to tell if companies honor it.
Is disabling it there globally æquivalent to not accepting on such banners?
This is also why the GDPR requires consent forms instead of relying on browser cookie settings, as it covers the intent of tracking itself as opposed to any technical means by which it is achieved (and this is why functional cookies such as for logging in or shopping carts don’t actually need consent at all).
They talk about cookies, and little more.
The worst is when the banner says: "This site uses cookies. Agree / Disagree" -- it's not even asking for consent.
Some sites don't even give you a "Disagree." Liberty of London has no way to opt-out: "By closing this box or by clicking accept and close, you agree to our use of cookies."
https://www.libertylondon.com
1. Having some legitimate interest is not necessarily sufficient - the privacy interests of the data subject can override the legitimate interests of the controller (Article 6.1.f itself), so the controller has to explicitly take the privacy interests of the data subject into account, and the reasonable expectations of data subjects matter. So this can be tricky, as it's up to the organization to demonstrate that their legitimate need outweighs the data subject interests.
2. the right to object of Article 21 applies for this clause, with explicit clarification in 21.2 that yes, people do have the right to object to direct marketing profiling;
3. the controller is required to explicitly inform the users "At the latest at the time of the first communication with the data subject" that they have the right to object to this processing (Article 21.4, and Recital 70);
4. As article 21.5 states "the data subject may exercise his or her right to object by automated means using technical specifications", so this opens the way for specifications such as the upcoming Global Privacy Control header (https://globalprivacycontrol.github.io/gpc-spec/) which would be a legally binding "I object" mechanism.
Because of this, whenever an organization can assert some other basis for lawfulness of processing (e.g. consent or performance of contract) then that would be a safer option than trying to assert a legitimate need.
https://blog.gingerlime.com/2020/sonos-is-spying-on-me-and-y...
on mobile so can’t easily post links unfortunately. EDIT: here’s a couple of links
https://noyb.eu/en/noyb-files-complaints-against-apples-trac...
https://blog.gingerlime.com/2020/does-ios-14-protect-your-pr...
"We're not going to lie to you. Your privacy isn't our priority. It's not even close. Not because we want to track your every move. But because we simply don't care. We'd rather spend what limited time we have actually improving the web site. We're into taking pictures and adding content, not obsessing over what your dog had for lunch so we can sell it to MegaEnormousBigCo. We're not tracking you. We're not tabulating you. We're not folding, spindling, or mutilating you. Seriously, your personal life is not important to us. However, you may or may not be of interest to the people who advertise on this web site."
https://www.chicagoarchitecture.info/privacy.php
Here's the other perspective: Data brokers don't really want your data if you don't want them to have it. It's a legal liability for them, and most of them are struggling to work at the scale their customers demand already. But publishers want high advertising rates and that means advertisers want to make good bids and that means both actually want a data broker involved to deal with the technical (collection, filtering, aggregation, ETL) and legal (GDPR) bullshit.
But then publishers and advertisers don't do their due diligence or decent engineering and just shovel illegal shit to data brokers on the backend. The ones that shut up and launder it do well; the ones that actually try to do a good (technical, legal) job drown in account management and data processing overhead.
So fuck that site. They are the ones that care about your data, they're just making a show of keeping their hands clean while they pay someone else for the dirty work and hiding behind their (half willful half stupid) ignorance of how their own industry works.
I also like the fact that all users get equal privacy rights!
So my understanding is that there is a big difference between this and "they just don't use third-party analytics".
It would be super nice if they clarified this in the blog post. Maybe by adding something like "We do not use personal data in our analytics".
The argument that you need to follow users around every step of the way to build great products is simply untrue.