127 comments

[ 2.3 ms ] story [ 132 ms ] thread
Terror is a bit strong.
Finally! The vast majority of these are in clear violation.
Can they include BBC as well? They have opted into disguising their malicious cookies as "Legitimate Interest", which will stay even if you reject the cookies and requires toggling off 100+ of them individually.
(comment deleted)
I've seen "Legitimate Interest", but no where has anyone explained what that actually means.
Typically legitimate interest is used where consent isn’t an applicable basis (e.g. for processing a user’s address details in an online checkout).

The fact that the BBC have chosen to add consent options to a purported legitimate interest is a hint that they’re trying to confuse the user.

> The fact that the BBC have chosen to add consent options [...] is a hint that they’re trying to confuse the user.

Yes, just another dark pattern which you see so often with those cookie banners.

> Typically legitimate interest is used where consent isn’t an applicable basis (e.g. for processing a user’s address details in an online checkout).

Nope, that'd be the "contract" basis (i.e. this information is strictly necessary for the user's intended task).

Legitimate interest is for non-essential data that it is, somehow, in the user's best interest to gather. But convincing a judge of that data being in the user's best interest is a...tricky bar to clear.

The GDPR has a part about that, it's where this wording comes from.

It boils down to basic visitor counting without privacy violations.

Companies obviously try to broaden the definition of that.

It's one of the reasons that allows a company to collect/process personal information without a) consent b) contractual obligation c) legal requirements

It's a bit loopholey, but has high hurdles since the processor needs to argue that their legitimate interest is bigger than the right for data privacy of the user. The processor has to create a DPIA (data privacy impact assessment) to show that they indeed balanced these both sides. The document can only be requested from the data protection authorities and are not public though.

Those are things you need for the website to work. Session/login cookies are examples of this. It also applies to other data, for example if you order something they have a legitimate interest to ask for and store your address (but only for the purposes of shipping, they cannot use it for anything else).

This has been twisted into "It's legitimate we track you because this is how we make money and we can't exist without money" which is obvious bullshit.

GDPR says: "The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest." in its preface.

https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

Anyway, flimsy legitimate interest excuses are easiest to override. You just object to data processing, then it's upon the other side to provide overriding reasons why their legitimate interest is more important than your "interests or fundamental rights and freedoms" of which right to object to data processing is one.

Almost nobody even tried to pass that hurdle when I objected to data processing. And those few that did try, I just sent them the decision to fine for almost identical situation (where a company tried to claim legitimate interest for mining data from public registries and sources and publishing them on a website) from my country's DPA. And that made them comply too.

>You just object to data processing

The problem with objecting is that they claim to need to store your info for the future to exclude you from data gathering. And presumably give that blacklist to everybody else to "exlude" you.

Fine by me, as long as they can't use it for anything else.
Thanks to Brexit the BBC cannot be held accountable to the EU anymore, no?

Edit: thanks for the responses. Understood: it still applies.

GDPR is not limited to companies inside the EU only. It covers (the PII of) every _user_ from the EU, location of the website does not matter.
GDPR applies to all websites that want to operate within the EU.
The BBC does not operate in the EU, except to serve an ad supported version.
GDPR isn’t an EU law, it’s an EU directive, which means that it was (mostly) required to be implemented into member states’ own legal system. This was done in the UK before leaving the EU, in the Data Protection Act 2018.
GDPR is not a directive, but a "regulation" (hence the name, General Data Protection Regulation). It is enforceable "as is" in the whole EU without the need to be transposed into the various national laws.
GDPR is embodied in U.K. law as the 2018 Data Protection Act. It continues to function post-Brexit
The extension you want is called Cookie Autodelete.

Then, it simply doesn't matter what you leave on. The extension deletes all identifiers from the site 15 seconds after tab close.

But, unfortunately, even if you auto delete cookies, by accepting or not objecting "Legitimate interest for anti-fraud purposes" allow browser fingerprinting scripts to be run and does not require cookies to be present.

Yes, the advertising companies are that evil.

Is there any indication those scripts are not run until you click you accept?
No, some of the sites even think that this falls into "Essential" category, as ad fraud is a crime, creating a loop hole.
That's where NoScript and uBlock Origin come in.
Please nuke TrustArc from orbit, the one where it takes 2-3 minutes for it to "process your cookie preferences". But accepting all cookies is instant.
Haha, this is hilarious in a very sad way. Can only imagine how the internal conversation about such an implementation went :).
My guess is that the same people that were complaining about multi-million dollar fines were the same ones that decided to adopt this blatantly violating "cookie solution"

Would be fun if all companies relying on this "cookie solution" sued back if they were found in non-compliance.

It's a dark pattern, and it's arguably illegal under the GDPR.
I'd scratch the arguably, seems to blatantly violate the pretty explicit text of the GDPR.
Great, way to many businesses have attempted to just cruise along, making some symbolic change or hoping that they could just buy a "GDPR" solution and stick it on their website.

Some of the 3. party solution provider are going to have a problem if Noyb wins. They sold solution which they most have known could not be complaint, but they did so anyway because their customers wanted to pretend that the GDPR doesn't exists.

I want a cookie policy API in browsers. User has a master switch for: Ask Every Time, Yes, No, and Essential Only – then in the list of remembered sites you can toggle after the fact if your little heart so desires.

That's it, that's all I want. Give me back my web please.

Between cookies and user authentication I think the web is an actively user hostile place. We could and should have done better.

lynx has this, it's one of my favorite features.
This used to be a feature of most web browsers. Then they removed it.
It actually kind of exists: in Chrome and Firefox, you can block all third-party cookies, which are mostly ads and tracking, and keep those from the site itself, which are likely more useful. This doesn't remove the stupid banners though.
Yeah sorry but this just isn't true at all. When the browsers started blocking or otherwise crippling third party cookies by default a few years back, lots of companies changed how tracking works to get around it.

I know because I did it for a company I was working for.

Instead of being able to use a simple tracking pixel hosted on a third-party server we changed to having websites embed JavaScript hosted by us so we could set a first party cookie.

I don't think any respectable tracking uses third-party cookies these days because they just don't work well at all anymore.

Is there a halfway decent cookie manager for Safari (macOS, maybe iOS)?
We used to have a Do-Not-Track header, which all websites promptly ignored.

The hard part is having a legally-binding standard

Given the current available API, I'd imagine the law-maker could have decided to write in the law 'consent must be collected through a javascript window.confirm() popup'

This.

I am sure there are significant legal, technical and logistical challenges to overcome to do this, but are they insurmountable?

> Many internet users mistake this annoying situation as a direct outcome of the GDPR, when in fact companies misuse designs in violation of the law. The GDPR demands a simple “yes” or “no”, as reasonable people would expect, but companies often have the power over the design and narrative when implementing the GDPR.

Thank you.

Latest annoying offender to me is Stack Overflow with their ridiculous semi-intrusive banner. And if I accept it errors out (probably because the ad-blocker blocks it). So thanks but no thanks.

Why should I be given the equivalent of an intrusive intimate "verification" every time I visit your site?

I love sites that do that, even three options, "reject all", "accept all" and "only legitimate interest" (whatever that means) are fine. No going through the pages of third parties to make sure all of them are deactivated. No ridiculous wait times. It could be so easy.
Stack overflow has no obligation to function corretly with any arbitrary extension(s)?.
It actually also errors out from the "Strict" preset in Privacy preferences in Firefox. Clicking "Customize settings" on the StackOverflow popup thing results in this error on their site:

"We couldn’t save your cookie preferences. Please adjust your browser settings or disable ad blocking. You can access your cookie settings at any time by clicking “Cookie Settings” in the footer."

To be fair, Firefox does say this under the Strict setting:

Heads up! This setting may cause some websites to not display content or work correctly. If a site seems broken, you may want to turn off tracking protection for that site to load all content.

(comment deleted)
Nobody wants to “customize their cookie preferences.” Ever. It’s clear this should be a yes or no that has no impact on functionality, but once you do that it becomes clearer: why isn’t the answer just no for everyone? Is someone out there really thinking “ah man, if only advertisements were more relevant!” ???

I do see how someone could plausibly prefer relevant ads over irrelevant ones. But I’d be willing to bet a majority of people simply do not care and in fact would rather see neither.

Of course, this is bad news for some, but it was supposed to be bad news. ¯\_(ツ)_/¯

> Is someone out there really thinking “ah man, if only advertisements were more relevant!”?

To be fair, people who prefer personalized ads do exist. Some of them are not aware this involves not only tracking but also profiling them.

Give them your finger, and they'll not only take the whole hand, but your arm too and then divide up your other limbs and make it into a wholesale.
I personally prefer having personalised ads over vanilla ones. Especially if the data is not sold but merely used to improve ads. If possible I try to pay where possible to not have ads in the first place.
> Especially if the data is not sold but merely used to improve ads

Which is never. It's disingenuous to even pay homage to this idea being possible in practice, as it makes the space seem a lot less seedy than it is.

You can be targeted without explicitly selling data to a third party. This is how most large advertising networks work. They don't send a dump of all user data to a third party who wants to advertise.
I do admit that this is a valid viewpoint. But also, the problem is that the choice is between “the data is collected” and “the data is not collected,” and ads being relevant is just a proxy for that. Even if a company was actually responsible with data and had a proven track record in data security, it just seems like unnecessary risk for something that is not very important to the end user.

I’ve learned to love more direct advertising. Granted, I will admit that NordVPN and Raycon may not provide the best or even in some cases most honest products, but the model they are using to advertise, by having reputable creators appeal to their viewers in enjoyable ways (see, for example, the way Internet Historian uses his signature video editing style and makes the whole ordeal of an advertisement into an over-the-top joke; people end up looking forward to these ad reads) is pretty solid, and it might have more room for growth with creators seeking more direct monetization with both their fans and sponsors alike.

Compared to that, even the most relevant ads generated by some algorithm will always feel impersonal. It’s a giant machine to me.

Advertisers have proven time and time again they're not trustworthy.

And any website that says "your privacy is important to us" while deliberately tricking you into accepting terms and cookies you weren't easily made aware of is a hostile adversary.

I've said before, I'd be happy to see ads that were embedded in the website's content, unchanging and baked in on the day the page was written (like print publications) as there would be no need to track and stalk me, profile me and sell my behaviour to dodgy companies around the world who are making money from me without my consent.

Do that and I'll turn my ad blocker off. Until then, let's bring on the gdpr lawsuits.

Typically they say ”We value your privacy”, which can be read in a very literal way…
> if the data is not sold but merely used to improve ads

Have you considered how the ads are improved? Websites don't use their own information to serve ads...

You can be targeted without explicitly selling data to a third party. This is how most large advertising networks work. They don't send a dump of all user data to a third party who wants to advertise.
They don't have to dump the data, your request for the ad is itself data that allows more targeting by that network. Part of your identity is sold by default the moment you content to the linked ad network.
That request is made to the ad platform (e.g. Google/FB/Amzn) and not the 3th party who owns the ad. Even when following the link the website does not get any personal information it does not already get by you visiting their website.
You mentioned data originally, not personal information. You do give the 3rd party data about your current visit which is connected with all the information they already have about you - which builds up your profile. But the difference is not that big - for example did you visit page for the local school with a facebook button? Yeah, facebook already knows which area you likely live in.
I personally couldn’t care less. The cost way outweighs any benefits.
I do want to, and have, customized my cookie preferences. On some sites I blanket-allow, on others I blanket-deny, and on others I’m somewhere in the middle.
What is this middle ground? Do you actually go advertiser by advertiser and allow/deny their cookies?
Typically if I allow some cookies, it’s because I trust the company to use analytics data to better the product.
If only there were some kind of browser feature for blocking or allowing cookies on per-site basis, so that we could avoid every website having to create their own javascript implementation
Those banners have nothing to do with cookies, they are about tracking - there are a lot of other tracking techniques besides cookies. So if the number of users who would block cookies reaches a certain threshold the advertisers would switch to other technical means, and would still have to present you this dialogue.
>if only advertisements were more relevant

Has anyone ever bought anything because they saw an ad? If anything ads cause me to not want to buy the product. I have stopped buying certain products because whenever I see them in the store I'm reminded of their stupid ads and all I feel is resentment.

Of course then people come with the whole "you pay with your attention" thing. No you don't, because if you pay, you'll still be served ads, because why the hell not right? They'll still mine your data, bother you with 'suggestions' and annoying ads.

Being a consumer sucks.

> Has anyone ever bought anything because they saw an ad?

Ask almost any woman a few weeks after breastfeeding at night where browsing the web is one of few entertainment options. (Spoiler - yes, so many of them did)

That's an extreme "yes" case, not otherwise, sure people do. That's why companies spend money on the ads. (some of them in clueless ways wasting money)

> Has anyone ever bought anything because they saw an ad? If anything ads cause me to not want to buy the product.

It is tempting to think that. And to think these ads have no influence on you.

But since marketing costs many companies tons of money and they happily pay it, I'm more inclined to believe that it works. Especially since the correlation between marketing budget and income is something that can be directly seen by these companies.

It's like how many Youtubers say the hate doing the "Like and subscribe" thing, but they can see in the analytics that videos where they say that perform better.

Also, attention isn't payment. You pay the marketing budget when you buy the product. Only you also pay with time, your bandwidth, your CPU time, electricity, sanity and privacy.

The idea that ads help us have things for free might be the greatest marketing stunt they have ever pulled

>to think these ads have no influence on you.

Yes, it has an influence, it influences me to avoid their shitty products. My assumption is that if you have to sink 80% of your budget into ads, I assume it sucks and I'll end up paying for more ads to be directed at me. Especially if the ads are annoying on purpose to "make you remember them" I avoid their products like the plague.

>The idea that ads help us have things for free might be the greatest marketing stunt they have ever pulled.

That was sort of my point. But the real secret of marketing is that it has a very low success/conversion rate. Marketing and ads are a product sold to the companies who pay for the ads, it's a racket. Marketing companies will pretend that you'll lose money if you don't, so you'll have to spend that money on them instead.

> But the real secret of marketing is that it has a very low success/conversion rate

That's not a secret. Everybody who books advertising online knows their conversion rate. It doesn't matter whether it is low, what matters is that a dollar spent on advertising turns into more than one dollar in revenue.

> Marketing companies will pretend that you'll lose money if you don't, so you'll have to spend that money on them instead.

Many companies - especially those starting out - don't care about losing money, they care about not increasing revenue. If hiring more sales people and spending more on marketing increases revenue - and it generally does - then operating at a loss is okay. If it doesn't, maybe there's no way to salvage your product - figuring that out has value, too.

> Has anyone ever bought anything because they saw an ad?

Yes. Advertising works. It's usually not that an advertisement immediately turns into a purchase. However, once you've seen the ad, you're more likely to purchase product if you encounter it again.

> I have stopped buying certain products because whenever I see them in the store I'm reminded of their stupid ads and all I feel is resentment.

Maybe that is true, but that's because you're a curmudgeon. Most consumers are not like that. If they were, the economy would collapse under its misanthropy.

> Being a consumer sucks.

You know what sucks even more? Being a producer.

Same. I just ignore everything, and with really stupid ads (that don't even mention their product/brand, or maybe I can't see it; same result) I wonder who tf is getting paid for that.

Sometimes I make a special note to avoid the company, because 2-5 minutes of bullshit is not an ad and you deserve to fail.

But having worked in affiliate marketing, I can tell that people do buy A LOT of stuff based on ads. I was running mostly targeted campaigns with relevant products on relevant websites/forums and relevant keywords on Google/Yahoo/Bing, but even on untargeted ads work.

AdSense used to work (probably still does, I hated it from the first try), and I can't fathom who clicks on those ads and even makes a purchase.

Pre-covid, I actually benefitted from Instagram advertising (without personalization) because I got to hear about new restaurants in my area... Considering that I block every other kind of advertising and tracking through rather draconian measures, I cannot compare if something else would have been of benefit though. I'd have done the same for Instagram, but then I found some rather excellent places through it, so...
It always amazes me how little self reflection most people have.
The majority of people want to not pay, and also not see ads, so what they want isn't useful.

Has anyone ever been harmed by being tracked? I'd rather see one ad that's relevant to me and will earn the website 1 standard currency unit, than 100 ads I'll never click and will earn 0.01 SCUs

Chances are that the site you are on has some topic that could be the subject of relevant ads. That's how advertising has worked before it became a game of stalking every user to the maximum extent possible.
Yes. Cases of privacy breach:

https://www.forbes.com/sites/kashmirhill/2012/02/16/how-targ...

And I'd argue that any time anyone bought something they weren't interested in before seeing an ad for it, they were harmed.

1 case 9 years ago is it?

You're assuming that a) buying things is bad, and b) you're interested in everything that's good for you and already know every product that exists.

It's obviously an example. You asked if anyone's ever been harmed - yes they have.
Yes, during chemo my mother bought on several reiki or hsimilar crooked pseudoscientific stuff to help her cope.

I'm not against seeing your occasionnal pastor/homeopath or other not-doctor that will at least take time to listen to you and rescribe placebo ater you unloaded on them (i think a shrink is more usefull and cheaper, but really i'm not in a crusade or anything, and i'm okay with sect/religion/"natural remedies" as long as it is not lithotherapy and you still get your chemo).

However pseudoscience stuff with no human component and just money is just taking advantage of fragile, suffering people. Aiming at them is as amoral as it get.

Tracking is shit because the ad industry is shit.

> Is someone out there really thinking “ah man, if only advertisements were more relevant!” ???

There's a r/google I sometimes peek at. One common theme there is someone complaining about the ads they get, another one asking about personalisation and the complainer confirming they have it disabled. Not getting ads for mail-in brides is nice.

Disclaimer: I work in Google but nowhere near ads.

Right, absent a very extensive dossier about my habits and desires most reasonable choice for google when serving an ad for this `sed' tutorial is for a mail-in bride?
What else should it be, when nobody tries to put ads relevant to`sed'[1]? Normally, Google would fall back to "put ads for whatever this person is into". But without personalisation, it falls back further to "put ads for whatever the Internet is into". Which appears to tend towards mail-in brides, softcore pornographic games and other sadness.

There's been here a rather good blog post from an engineer actually working on ads on the topic. I think a couple weeks back.

[1]: well, for `sed' I'd rather expect someone trying to sell you an IDE, or to get a cut from recruiting you. But then, what do I know.

> What else should it be, when nobody tries to put ads relevant to`sed'

If there's one company who should know what to advertise when the user searches for "sed", that company is Google. Yes, without personalization, as the user just gave you the information you need!

If they don't they might as well roll the doors down because that's the main core business of Google.

How did advertisers knew what to put on the WSJ? on Time? on Sports Illustrated?

Please try to follow the line of thinking your own questions suggest and stop the ad-hominem.
Where's the ad-hominem? I honestly don't see it.
It has been edited away.
> Is someone out there really thinking “ah man, if only advertisements were more relevant!” ???

honestly, yes. adverts pay for most if not all of the free content on the internet. if adverts were more targeted they would become more profitable and therefore pay for better content.

very well target ads will suggest things to you that you would genuinely like or would be useful to you but have not yet heard about.

I use the internet a lot but i have never once seen an advertisement for something i thought "hey, that looks interesting". The problem is that millions (billions?) of dollars are spend on subconsciously making people want to buy what is advertised, no matter if they need it or not. In any other area this psychological meddling with people's subconscious would be highly illegal. So in short, as long as this exists (and it always will as you can't put research already done back in the box) all advertisement should be illegal if not consented into, targeted or not, beforehand.
> if adverts were more targeted they would become more profitable and therefore pay for better content.

If ads were more targeted, that doesn't necessarily increase neither the ad spend of companies, and it most definitely doesn't increase the amount of money that consumers can spend on the things that are being advertised.

Most of the time, advertising is a zero-sum game. If you take ad targeting away from everyone, everyone will just do untargeted ads (i.e. ads that are only related to the context they appear in, not related to the person seeing them), and there will be no comparative disadvantage for any particular advertiser.

I second everything you said but I try to always customize my cookie settings. But I'm pretty certain it has almost zero effect.

At least I could potentially be in a position to sue (maybe).

So I'm using ff with noscript ublock privacy badger containerization and the likes to mitigate.

It is plain crazy!

There is a 3rd option: not making your website available for EU.
Funny you mention it. I recently visited a site which did exactly that. It blatantly stated, that content is not available for EU customers gabba gabba yadda yadda and in the end it said "No tracking cookies were served with this page", yet ublock origin and privacy budger showed 8 blocked cookies from various souces on this site. Yeah, thanks for nothin'.
Cookie banners are the worst thing to hit the web since ads. I hope at some point this will all be a thing of the past.

> industry statistics show that only 3% of users actually want to agree

I'm sure 99.9% of people are tired of having to click anything the moment they visit a site.

Lots of adblockers support blocking those consent boxes, too.
> I'm sure 99.9% of people are tired of having to click anything the moment they visit a site.

When you think about it, this whole scheme really makes no sense. The web is already partitioned by tech giants. When I visit a new website, the first few seconds define my love-or-hate relationship with it. If the first thing I see is this crap, the website already has some negative points. If I see more bullshit, I just close the tab, there is so much to choose from, I don't have to put up with all this. Website owners should understand it and not actively try to put the visitors off.

In theory the solution is easy: As a website owner don't use tracking or marketing cookies (or any other non-essential cookies) and you don't have to annoy your users with banners.
(comment deleted)
Imagine how many meetings there have been where companies have decided to violate the GDPR by various half-assed implementations of cookie banners.

I'm guessing people here on HN have been in such meetings. How does that discussion actually go? "We could put up a clearly compliant 'Reject all', but it would hurt our bottom line too much, so what can we do instead"?

Also: it's interesting to see the design of the OneTrust tool that (apparently) is popular for creating a cookie banner. It seems like a hundred options, where most combinations would form non-compliant solution, and are only there to give sites the ability to trick users by dark patterns. E.g. why would "Show reject all" even be an option? Who actually needs help from a third party tool to be not-quite-compliant?

With the cookie banners the way they are I'd say cookies are an antipattern and I wonder why the webdesign industry hasn't done away with them entirely.

I think they contribute to the overall decrease in excitement about the Web. You never start to interact with a website in a fun way, it's always a click-based legal contract first.

Alice sends Bob a message: “please GET me /coolpage”

Bob replies, and adds a code, with which Alice can send to Bob to identify herself if she wishes.

Alice is free to include it, or not, in any subsequent message.

Asking to “store a cookie” in a banner makes no sense - as it is Alice’s choice to include it or not in the first place.

Bureaucrat be gone

Yeah I'm glad recent releases of firefox added the option to disable cookies back to the settings page.

Oh wait

I agree with you - Firefox does not help you keep cookies out without private mode or addons afaik
GDPR isn't about cookies, its about collection and handling of PII.
AFAIK People inform about cookies when they don't have to.

If you use cookies only for technical stuff (auth)

then you do not have to inform about them and that's why Github stopped doing it in last months iirc.

Is this true? That would be great.
I think yea, but I didn't read all cookie related stuff

>Operational cookies

>There are some cookies that we have to include in order for certain web pages to function. For this reason, they do not require your consent. In particular:

  >  authentication cookies
  >  technical cookies required by certain IT systems

https://ec.europa.eu/info/cookies_en
Well, yes, although this "for technical stuff" is quite vogue and misleading. Law actually states things "strictly necessary" don't need and agreement. So your auth session doesn't need anything, but your 3rd party monitoring software does. I wish this would be easier for me. A lot of sites on my market add disgusting banners even if they don't use cookies at all, or cookies were already created :)

"This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."

I had a glance at my local interpretation it also states that it is not necessary to consent if it is directly required to fulfill action explicitly started by a user.

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62...

Yes. And more. At my previous company, we were close to the CNIL (French GDPR watchdog) because we hosted medical data. Auth and other technically important cookies (like a shopping cart) are usefull so GDPR don't apply.

Basically, if you don't sell your user data and process it for your own services, you can recolt almost whatever you want, even PII like ip adresses

Yes, any PII that you obtain for a user for the express and sole purpose of something that the user asks of you (like a delivery address or a session cookie or a name to be printed on a business card) requires no further explicit approval

if you are going to use it for something else, like sending a weekly brochure after the delivery you do have to ask permission for that additional action

I was explaining this to a co-founder and they insisted on having a banner anyway because they didn't understand the law, didn't understand the difference in cookie types, and were worried about fines.

I've come to the conclusion that this should be baked into the browser rather than letting every site owner do their own thing.

The real problem with the law is that you need a cookie to set the preference for the tracking to begin with, which I don't want. The law of course states that there shouldn't be any tracking without explicit consent.

I'm sure the people using cookie blockers here are pretty familiar at how bad the browsing experience becomes if you expire and/or block cookies.

The law should have been amended to REQUIRE websites to honor the already-existing-and-failed do-not-track header and ENFORCE that such header results in no popup whatsoever, since the choice has ALREADY been made.

That is also required since the law is pretty generic and doesn't explicitly mention "cookies", but any method which can be used for tracking purposes.

The question for a website on a technical level is then:

- If I land on a website with such a consent, how do I guarantee that the first request before and UNTIL the consent is acted on respects my will to not be tracked?

- Doing so as a dev is an absolute nightmare. Using the header would be a huge time saver.

- As a user, how do I ensure I'm not being tracked? Let's be honest: I do not trust even google to honor the setting. Shady organizations are commonplace on the web. Everybody knows (browser vendors included) you need to act in a defensive manner.

Blocking everything unless explicitly allowed is the only strategy that should be followed currently by those who care (and are willing to endure the resulting experience)

Not all cookies require consent. There are many legitimate reasons to collect personal data - consent is only required if you cannot find another legitimate reason.

For cookies that mean: technical cookies that you need to technical provide your offering (think of authentication session cookie, loadbalancer sticky session cookies, but also cookies to understand if someone opted into tracking) can be set with legitimate interest and do not require a consent.

A consent under GDPR is strictly opt-in. This means, by default you must not track a user (EU citizen) that just landed on your site. After consent, you can load your GA plugin.

> The real problem with the law is that you need a cookie to set the preference for the tracking to begin with, which I don't want. The law of course states that there shouldn't be any tracking without explicit consent.

The law doesn't concern itself with tracking directly. It talks about the use and handling of personal information. Putting a cookie on your machine to record that you rejected all tracking (i.e. "tracking=no"), is perfectly fine and does not require consent. It is not personal information.

One interesting point: it seems that the so-called cookie law and the GDPR are more connected than I initially thought.

Under the "old" cookie law, I offer no cookie rejection change for my own (personal, non-commercial, no-advertising) blog, I just inform my visitors of the cookies I set.

Now I'm not sure whether I'm subject to the GDPR and if I should change something on my website.

Ref: https://gdpr.eu/cookies/

> Now I'm not sure whether I'm subject to the GDPR and if I should change something on my website.

Do you use cookies or cookie-like functionality (localstorage etc) for purposes other than those essential to the function of your website (such as logging in, keeping track of items in a cart, or other user-visible legitimate functionality)?

If you only use them for that, you are not subject to having to display a cookie banner. Otherwise, you have to give the user a way to refuse opting into having you do that.

I know the principles, but it's not that easy.

AFAICU (I'm not a lawyer), if we only considered the cookie law, it was perfectly ok not to give access to my website until the user had clicked "ok" on my terms and accepted my cookies. Nothing forced the website owner to offer a "partial acceptance of terms". The user just had to be informed.

Then GDPR happened. Now the marketing consent must be given freely, so "marketing cookies" need to be excluded.

I use very few cookies on my website, but I employ Google Analytics (with some privacy options set) and Disqus (which has changed ownership some years ago).

Should I let people use the website without GA or Disqus even though I, personally, don't do any marketing through those?

> Should I let people use the website without GA or Disqus even though I, personally, don't do any marketing through those?

Even if they are served by third parties, you are the one who is responsible for those cookies. GA is definitely non-essential, disqus probably too. So if you want to be by the book, you need to ask the user for consent: If they consent, you can enable GA and Disqus. If they reject, you should disable those. You can also split up consent for disqus and GA.

Now the "cookie banner" pattern frankly sucks egg. You don't have to go that route specifically. What you could do instead as a more user-friendly approach, as far as the comments go, is a "load comments" button which, when you click it, tells the user "Our comments are hosted externally. In order to load them, we need to load third party scripts and cookies from disqus.com. See Disqus privacy policy here <link>. [Accept] [Reject]" -- Once they click that, you're good to always load the comments by default, no more button/pop-up.

This can get very complex very quickly for a personal blog, though. I can remove GA at any time, and I'll probably remove it since I rarely look at my analytics, but Disqus is essential for commenting, which is integral to blogging IMHO.

The problem with the cookie law and the GDPR is that they adopt greenfield approach to an existing environment, without implementation examples.

BTW, as far as I know, the GDPR doesn't apply to me as "a natural person in the course of a purely personal or household activity", while the cookie law DOES apply.

But the scope of such statement if highly debated and, of course, Google and Disqus are not exempt from the GDPR.

So?

I feel that the GDPR is a good law. But it simply ignoring the status quo from an implementation perspective won't yield the results the lawmaker hoped for.

Do Facebook as well. Here is their trick:

1. Connect with a private browser session so that you get a fresh "Accept Cookies". 2. You are asked whether to "Accept All" (highlighted), or "Manage Settings". 3. You click on "Manage Settings". The cookie options are indeed unselected, but the only button says "Accept cookies".

You click to "Accept cookies" in order to not accept cookies!

In uBlock Origin I've seen a few domains with the word `cookie` in them and after investigating them, they are serving Javascript that by virtue of being a third party, are scooping up personal data, not protecting it. Of course I blocked these in uBlock manually, but it breaks the site since the banner overlaps the content and I can't read my article, so I have to manually remove the offending HTML element using uBlock's element picker. Such a ridiculous farce!
Of all places, StackOverflow/Exchange has something similar going on: The javascript for its cookie banner gets blocked by PrivacyBadger, so you end up with none of the buttons working and it blocking half the content.