Ask HN: Cookie popups – how annoyed are you?

20 points by mherrmann ↗ HN
In the EU, web sites must obtain permission before tracking users. This leads to very annoying cookie consent popups. Is anybody else here frustrated by them?

I'm semi-seriously considering launching an EU citizens' initiative to fix this. Here's how it can work: The EU directive responsible for the cookie popups is (afaict) 2009/136/EC, par. (66). It says cookie acceptance can be a browser setting but does not give details. The EU initiative could extend this to say web operators must respect the "Do Not Track" header.

Do Not Track is a special header that browsers can send to say "I don't want to be tracked" or "I agree to being tracked". It already exists in some browsers - but hardly any web site honors it. If the EU directive would mention that DNT must be honored, then web sites would have no further need to display their consent popups when the header is set.

My problem is that such an initiative would likely require a huge time investment. It needs 1M signatures. That would likely be very hard work.

If the response here is overwhelmingly positive, I might be more inclined to throw myself at this problem. Please upvote or comment if you think this might be worthwhile.

19 comments

[ 3.3 ms ] story [ 56.6 ms ] thread
I think these are a user disaster because they are training people to click "OK" on a pop up. Which will turn out to be very bad from a security perspective.
Exactly. They just train users to always click "Accept".
I agree. The intention might have been good - but the outcome is the opposite.
Just saw that you're the CTO of Cloudflare. If I launch the initiative, do you think your company could endorse it? Or become a sponsor for a prominent backlink?
I was writing as a European in Europe rather than Cloudflare's CTO.
I thought that sometimes these personalities may overlap. But nevermind.
I am a highly technical internet user, yet I still now always click accept on cookie pop-ups. It's just too much work/wasted time to navigate through those pop-ups that hide the "no" option.

I might have clicked Accept on other things too because of this, good thing that the browser permission pop-ups have a different style otherwise I would have also enabled push notifications on several websites.

A less technical relative of mine is getting spammed on her mobile phone with push notifications, as she probably unwillingly gave permissions to multiple websites that she visited and showed a permission request pop-up.

Agree. You could literally say anything in the cookie message, and people would just happily click and along with it. I've used to tapping yes and going next. Not exactly what they intended when they came up with this incredibly ill-conceived idea. Good intention, poor implementation, which is the state privacy and security regulation has been in for far too long.
I mostly don't see them thanks to additional rules from "Easylist-Cookie List" in my adblocker, so eh.
I'm both mildly annoyed and strongly in favor of them, since they have taught me how incredibly pervasive website tracking of my personal data is. If a website tracks me, I want to know about it, and I want to be reminded to consider whether the website provides value worth giving up my privacy for.

Besides, recent iterations of the cookie banner are (supposed to be) more than just an ok button - they are supposed to provide an opt out mechanism for all non-required tracking. See, for an example, theguardian.com

They're covering what I want to read, they effectively make my screen smaller.

Would the EU directive also mandate there be no consent popups? Otherwise they'll probably remain and annoy people, even if they are mandated to follow DNT.

I'm pretty sure you'll really like the Just Read extension[0]. Once installed, I just hit Ctrl+Shift+L and it will make all that noise disappear, and present the content in a 70 characters wide format and bigger fonts.

The difference is dramatic. I tried it and went "wow" when it became obvious I didn't realize just how noisy pages are. This is similar to "Zen mode" or "Distraction free mode" in some editors, but for web pages.

- [0]: https://chrome.google.com/webstore/detail/just-read/dgmanlpm...

The ePrivacy regulation is being negotiated right now, your best bet is to join the lobbying. It's for certain that there will be some amendments to the GDPR and ePrivacy directive regarding the way cookies and tracking are handled for websites. In Germany the Bitkom is a good place to start if you want to make your voice heard, they have a working group on data protection that comments on the EU legislation process (you'll be a bit late to the party regarding the ePrivacy regulation though, not sure if there's still much room for change).

I don't think a citizen initiative will be likely to succeed as the regulation has been in the works for a long time and will probably be passed in one form or another, and I really doubt the EU would want to amend the handling of cookies a third time.

BTW I develop an open-source CMP (https://github.com/kiprotect/klaro) and the problem is a bit more complex than honoring the DNT header, as the user needs to grant or decline his/her informed consent for all non-essential third-party services. In the long run I think this functionality should be implemented directly in the browser, but again this will require more than a single header IMHO.

I have an extension installed to agree to them all. I dislike them and they serve no purpose. I would be glad to help you. I have a website that gets a lot of tech visitors to reach 1 million if I can help: https://downforeveryoneorjustme.com/

My email address is bwbbwb@gmail.com.

It's an absolute disaster.

The default should be to only allow the basics for a cookie. And if the user wants to opt in for sharing all their data, a specific page for that should be present.

It is more an issue for me at least that it fucks with my intelligence somehow.

Of course I do not want to share my data with anyone and at the same time don't try to fucking trick me to hit the "all cookies" button.

I am absolutely furious about it.

I would sign it in a heartbeat. The surfing experience has been really degraded.
I would not sign your initiative since I believe it is dangerous and would make the web worse. Here's why:

You propose to make web protocols/standards and national laws tightly coupled for the long run, to solve a usability problem in the short run. That's the wrong hammer for this delicate ceramic vase. Can you imagine what it would take to evolve web standards if they have to do so in tandem with the laws of dozens of different countries? If the law says cookie acceptance can be a browser setting without giving details, that's not too little detail. Even mentioning cookies might be too much detail for a law.

I am annoyed too, but I direct my annoyance at the entity that made the wrong usability and privacy decision, which is the organisation behind the website in question. Website owners (should) have every incentive not to annoy their users. Designing websites without cookie consent pop-ups is possible, legal, and a competitive advantage. As a user, removing the pop-ups automatically is also fairly simple. Let it play out. It's gotten worse before it gets better, but I believe GDPR is ultimately a force for good.

Maybe off topic, but if the only cookie set is for Google Analytics, and I anonymize ip - do I still need consent from users? My understanding is that only data that can be tracked to a certain user needs consent per gdpr?
You need a consent as soon as there is a possibility to trace down a single user. Even with the help of the ISP. Just anonymizing the IP will not be enough.

We recently introduced a cookie-less mode for https://splitbee.io that aims to be GDPR etc compliant.